Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    353s
  • max time network
    313s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 10:20

General

  • Target

    9f2507a35bc333af0c329ffc75dbb63fe4406ecd33058bf761f2b35f3657e113.exe

  • Size

    200KB

  • MD5

    41ac0dc2820fd7f7ac9b4abbdd4ae2c6

  • SHA1

    2686875dcccaa118b566612fd9e581350ddbf5a9

  • SHA256

    9f2507a35bc333af0c329ffc75dbb63fe4406ecd33058bf761f2b35f3657e113

  • SHA512

    e678614489f66a1535055e1e71ab2f25857a18407d1f7ad8841852068af98698576e3f2fcb33007b624b5e29c97baf4b75e8227ff315a406900ca990ba1358b9

  • SSDEEP

    6144:W8u5j7Knvmb7/D26rfo9Am26fBXMZ8R3FXjrCTYTQdq4qJUGQBSpYCbw6I:ju5j7Knvmb7/D26zZ8R3FXjrC8T8q4q+

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f2507a35bc333af0c329ffc75dbb63fe4406ecd33058bf761f2b35f3657e113.exe
    "C:\Users\Admin\AppData\Local\Temp\9f2507a35bc333af0c329ffc75dbb63fe4406ecd33058bf761f2b35f3657e113.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\cuaap.exe
      "C:\Users\Admin\cuaap.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cuaap.exe

    Filesize

    200KB

    MD5

    2e6a36486cdfc266ec2fe0d976063117

    SHA1

    fb916aac6495b6e18ac065766c6674af53787a53

    SHA256

    0b32c3cbd4632f2ae76f93bbf4ec9db03f0283a42af6fed5d56be7d1c26d49b2

    SHA512

    123d881d9b0ae47ec24cebd9826eb8b2fe51741a51e796f96f16464781b0e4607acb9f66b6128ea8a6f7d3617cee9a656085227df31624b37695a5ecfcf82fb2

  • C:\Users\Admin\cuaap.exe

    Filesize

    200KB

    MD5

    2e6a36486cdfc266ec2fe0d976063117

    SHA1

    fb916aac6495b6e18ac065766c6674af53787a53

    SHA256

    0b32c3cbd4632f2ae76f93bbf4ec9db03f0283a42af6fed5d56be7d1c26d49b2

    SHA512

    123d881d9b0ae47ec24cebd9826eb8b2fe51741a51e796f96f16464781b0e4607acb9f66b6128ea8a6f7d3617cee9a656085227df31624b37695a5ecfcf82fb2