Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe
-
Size
320KB
-
MD5
3ce067bc36bbde6cb6c098cb8baf3a90
-
SHA1
c453d26a69ad6e0f831c952b0653abc7caf24e81
-
SHA256
6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b
-
SHA512
6e19e6730d91e09d5bc5c0a493785042c70490baef311e53164d52d2d3fc32d40a983601ee2c7399e964650af753bd46b725bec9ab7bdeac438c86f17166da63
-
SSDEEP
6144:tD+xPxlsG6i1xJ66onJGr+qyVztumGS5Ni3hpgoMKMphaeVf2B71uy:tMPjsG6iH6JGr+qyVztumGS5YqoyU71x
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puauguh.exe -
Executes dropped EXE 1 IoCs
pid Process 2128 puauguh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /Q" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /z" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /P" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /n" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /p" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /a" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /R" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /b" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /f" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /k" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /O" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /i" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /e" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /E" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /N" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /o" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /T" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /t" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /M" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /K" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /l" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /y" puauguh.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /Y" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /g" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /U" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /j" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /G" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /B" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /V" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /r" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /d" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /W" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /C" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /h" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /n" 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /w" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /F" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /s" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /X" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /D" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /J" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /A" puauguh.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /Z" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /v" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /c" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /L" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /I" puauguh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puauguh = "C:\\Users\\Admin\\puauguh.exe /m" puauguh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe 2128 puauguh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 2128 puauguh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2128 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 88 PID 2996 wrote to memory of 2128 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 88 PID 2996 wrote to memory of 2128 2996 6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe"C:\Users\Admin\AppData\Local\Temp\6c7fa479aef712ab09fcca4ae8cf786ab48004cf6cba963d465a7be929af538b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\puauguh.exe"C:\Users\Admin\puauguh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2128
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5f9924bb245756b73d50cd83abece53bf
SHA17bbaad1841b70e2e3a3f72cf68c8daf3f9b734d4
SHA256f46a5c361c5868048b1a50546d4e1c3adc60e00c5b48e96df689c0698f432343
SHA512a2d1b725b99763190d8687a2fde9f0d8c469b9a5e46aa8935d4420e4fc9698534b7130364eb205ca2ca078556dc66a02c948157cb540ef447b0d085ae5590a0c
-
Filesize
320KB
MD5f9924bb245756b73d50cd83abece53bf
SHA17bbaad1841b70e2e3a3f72cf68c8daf3f9b734d4
SHA256f46a5c361c5868048b1a50546d4e1c3adc60e00c5b48e96df689c0698f432343
SHA512a2d1b725b99763190d8687a2fde9f0d8c469b9a5e46aa8935d4420e4fc9698534b7130364eb205ca2ca078556dc66a02c948157cb540ef447b0d085ae5590a0c