Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
Resource
win10v2004-20221111-en
General
-
Target
d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
-
Size
128KB
-
MD5
cd4e753034a975044e480b8428d30687
-
SHA1
726a772f4cec923d28c920c161cea0d223adcf43
-
SHA256
d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2
-
SHA512
dffdc6c276a443e4b170d2e21ddcfe4c67c5eec6a8e9bc6dff35bb9c2f6605fe3678d71701de33aa5590612d9142d19398600a15287f034b39d02634e8df9629
-
SSDEEP
3072:eDyjSDvi4wwDCXcsTlyrGn8Dq7E0zQL16Yirqn5zd32C:ktwwDMpErGnWq7E0zQL3i2n5zd
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" muayau.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe -
Executes dropped EXE 1 IoCs
pid Process 1796 muayau.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /i" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /w" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /f" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /g" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /b" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /m" d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /q" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /h" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /e" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /p" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /m" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /z" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /s" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /c" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /o" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /n" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /l" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /a" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /k" muayau.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /r" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /j" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /d" muayau.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /u" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /y" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /t" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /v" muayau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /x" muayau.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 3916 2936 WerFault.exe 66 5084 4176 WerFault.exe 86 4172 4176 WerFault.exe 86 -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4176 svchost.exe 2984 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe 1796 muayau.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 1796 muayau.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4256 wrote to memory of 1796 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 89 PID 4256 wrote to memory of 1796 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 89 PID 4256 wrote to memory of 1796 4256 d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe"C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\muayau.exe"C:\Users\Admin\muayau.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2936 -ip 29361⤵PID:3052
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2936 -s 10761⤵
- Program crash
PID:3916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4176 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4176 -s 20322⤵
- Program crash
PID:5084
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4176 -s 19682⤵
- Program crash
PID:4172
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 4176 -ip 41761⤵PID:4416
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 4176 -ip 41761⤵PID:2980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:2984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5cad9adb2b63a606b060b78299dddf9bc
SHA114d46a5f4a9c2d2456cea95175c5834dfdd565ac
SHA256c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c
SHA51201b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e
-
Filesize
128KB
MD5cad9adb2b63a606b060b78299dddf9bc
SHA114d46a5f4a9c2d2456cea95175c5834dfdd565ac
SHA256c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c
SHA51201b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e