Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    190s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 09:18

General

  • Target

    d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe

  • Size

    128KB

  • MD5

    cd4e753034a975044e480b8428d30687

  • SHA1

    726a772f4cec923d28c920c161cea0d223adcf43

  • SHA256

    d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2

  • SHA512

    dffdc6c276a443e4b170d2e21ddcfe4c67c5eec6a8e9bc6dff35bb9c2f6605fe3678d71701de33aa5590612d9142d19398600a15287f034b39d02634e8df9629

  • SSDEEP

    3072:eDyjSDvi4wwDCXcsTlyrGn8Dq7E0zQL16Yirqn5zd32C:ktwwDMpErGnWq7E0zQL3i2n5zd

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
    "C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\muayau.exe
      "C:\Users\Admin\muayau.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1796
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 408 -p 2936 -ip 2936
    1⤵
      PID:3052
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2936 -s 1076
      1⤵
      • Program crash
      PID:3916
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      PID:4176
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4176 -s 2032
        2⤵
        • Program crash
        PID:5084
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4176 -s 1968
        2⤵
        • Program crash
        PID:4172
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 468 -p 4176 -ip 4176
      1⤵
        PID:4416
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 472 -p 4176 -ip 4176
        1⤵
          PID:2980
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          PID:2984

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\muayau.exe

          Filesize

          128KB

          MD5

          cad9adb2b63a606b060b78299dddf9bc

          SHA1

          14d46a5f4a9c2d2456cea95175c5834dfdd565ac

          SHA256

          c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c

          SHA512

          01b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e

        • C:\Users\Admin\muayau.exe

          Filesize

          128KB

          MD5

          cad9adb2b63a606b060b78299dddf9bc

          SHA1

          14d46a5f4a9c2d2456cea95175c5834dfdd565ac

          SHA256

          c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c

          SHA512

          01b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e

        • memory/1796-141-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

        • memory/4256-134-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

        • memory/4256-135-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB