Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    205s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2022, 03:01

General

  • Target

    2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe

  • Size

    260KB

  • MD5

    7483037e651bef9fbeb06a0523863d10

  • SHA1

    35974cdf6f83443b3af4e2b96f9d89f3de378734

  • SHA256

    2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac

  • SHA512

    2246e2acfd03b864e3f1612a53bd33be39c1ab08afce3cf7464868c582754b59acc341f25bea67cd6bf9ce0bc62934444c4472b3ca87792486be97be2bf94e04

  • SSDEEP

    3072:lgfAlNxvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVc:ld4gTSrMaIl/jcLijfHFEHWzXvjT85R

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe
    "C:\Users\Admin\AppData\Local\Temp\2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\wiera.exe
      "C:\Users\Admin\wiera.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\wiera.exe

    Filesize

    260KB

    MD5

    d1b7fee76ef13ade7659e378a3045a86

    SHA1

    5ab17cf23f693c2bc768841876e61959f758ecaa

    SHA256

    25bc7db20db3a5211605d83cb91c01cc7674f0bcf2822797d38bf90f8ae37d96

    SHA512

    c12bef905cb956896ab647712b1d76740861a50d3f8374e67dd6e26d5e2759d07be01754f64b7ca9bafdb1e130d56ac971551eeeae85f39f9f88371a1001b5c5

  • C:\Users\Admin\wiera.exe

    Filesize

    260KB

    MD5

    d1b7fee76ef13ade7659e378a3045a86

    SHA1

    5ab17cf23f693c2bc768841876e61959f758ecaa

    SHA256

    25bc7db20db3a5211605d83cb91c01cc7674f0bcf2822797d38bf90f8ae37d96

    SHA512

    c12bef905cb956896ab647712b1d76740861a50d3f8374e67dd6e26d5e2759d07be01754f64b7ca9bafdb1e130d56ac971551eeeae85f39f9f88371a1001b5c5