Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe
-
Size
244KB
-
MD5
e437fd9e347d5c57c58f9f01ef12dbaf
-
SHA1
ba857edce2202d47451ca40784099e4d99f61aa7
-
SHA256
c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4
-
SHA512
c33d5c595848b9824bac52b98f2d90334d0b0a02020c793e2bd2e97f2683cc0a427e5fc8887b966876ef88a69d52ea0ad81fd87513bc067f0675707b3274732c
-
SSDEEP
3072:7hPBdfsROnFQpQnO5yIuSP9lqVinU3bp/PTm2moJ6BwA+GABMndgSq6u:7hJdLO7PnqVinU3bw2moJ6WAdgBH
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" veuwai.exe -
Executes dropped EXE 1 IoCs
pid Process 4200 veuwai.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /o" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /y" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /r" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /j" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /d" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /z" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /u" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /c" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /q" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /x" veuwai.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /p" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /t" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /m" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /e" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /s" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /n" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /l" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /i" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /w" c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /v" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /k" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /h" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /g" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /a" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /b" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /w" veuwai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veuwai = "C:\\Users\\Admin\\veuwai.exe /f" veuwai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe 4200 veuwai.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 4200 veuwai.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1120 wrote to memory of 4200 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 82 PID 1120 wrote to memory of 4200 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 82 PID 1120 wrote to memory of 4200 1120 c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe"C:\Users\Admin\AppData\Local\Temp\c6272186199753b42287d738ebd92c607b7afc1896492b54d6b7d6b845e05fe4.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\veuwai.exe"C:\Users\Admin\veuwai.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4200
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD52bf840b35ecb8a771723b2082835a558
SHA107dae3cc29df6e8cd23e188e5a8bc6df3922fd14
SHA2561b618bdcf1056cfda16239b1ca601448569a737146f63716cdb8cb54ae3bdad8
SHA512e8dce6b532a60a353b53c200ee306c29db3bae6328204fdd6933b95dc3201a7725b4c62ca6777a23d574b53375a78f79315bccf7beb4e5505a7b90cb34550614
-
Filesize
244KB
MD52bf840b35ecb8a771723b2082835a558
SHA107dae3cc29df6e8cd23e188e5a8bc6df3922fd14
SHA2561b618bdcf1056cfda16239b1ca601448569a737146f63716cdb8cb54ae3bdad8
SHA512e8dce6b532a60a353b53c200ee306c29db3bae6328204fdd6933b95dc3201a7725b4c62ca6777a23d574b53375a78f79315bccf7beb4e5505a7b90cb34550614