Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    171s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2022, 02:41

General

  • Target

    803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe

  • Size

    200KB

  • MD5

    138cb66ce783d31d377b47f8b8e48441

  • SHA1

    95176afca9fa70f41ffae1ca3f1c7b147d659cf3

  • SHA256

    803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be

  • SHA512

    a0fafa2b3e11665956a4292783b8c693ca576e579bb754f344e60e03594f613e14301bae15e4f961c89d0389a6e320cebd9750cb695b360eedaffe99d16ce988

  • SSDEEP

    3072:UTtcstTstk/pSBAFtbCduLCADMcgg7keGdJu:8tcATstk/pp2ADMVCwJ

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 48 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe
    "C:\Users\Admin\AppData\Local\Temp\803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\foiozo.exe
      "C:\Users\Admin\foiozo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\foiozo.exe

    Filesize

    200KB

    MD5

    7f6280c0bd94d4a3ac96d5754f020c68

    SHA1

    9c3e2f6e43034ffe3ac67f4c0ab987f03de49e25

    SHA256

    1c4e044ae4909e334244cac645970d03e83a56a1deb001eb919d6ee756407684

    SHA512

    f3d010959ba7de6f08b937091ebdc3714e50dfe1a09b19ae1cfb20d9d3ab6790e5ad27ee97e9e48ee349c3deaaa33f398b12116996f95eb6a9219004fc1f3ba2

  • C:\Users\Admin\foiozo.exe

    Filesize

    200KB

    MD5

    7f6280c0bd94d4a3ac96d5754f020c68

    SHA1

    9c3e2f6e43034ffe3ac67f4c0ab987f03de49e25

    SHA256

    1c4e044ae4909e334244cac645970d03e83a56a1deb001eb919d6ee756407684

    SHA512

    f3d010959ba7de6f08b937091ebdc3714e50dfe1a09b19ae1cfb20d9d3ab6790e5ad27ee97e9e48ee349c3deaaa33f398b12116996f95eb6a9219004fc1f3ba2