Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
205s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe
Resource
win10v2004-20221111-en
General
-
Target
2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe
-
Size
260KB
-
MD5
7483037e651bef9fbeb06a0523863d10
-
SHA1
35974cdf6f83443b3af4e2b96f9d89f3de378734
-
SHA256
2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac
-
SHA512
2246e2acfd03b864e3f1612a53bd33be39c1ab08afce3cf7464868c582754b59acc341f25bea67cd6bf9ce0bc62934444c4472b3ca87792486be97be2bf94e04
-
SSDEEP
3072:lgfAlNxvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVc:ld4gTSrMaIl/jcLijfHFEHWzXvjT85R
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wiera.exe -
Executes dropped EXE 1 IoCs
pid Process 3696 wiera.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /V" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /i" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /p" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /r" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /K" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /x" wiera.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /F" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /s" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /u" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /e" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /I" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /g" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /M" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /m" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /S" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /z" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /b" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /P" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /y" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /a" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /q" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /f" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /l" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /j" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /G" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /D" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /h" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /R" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /O" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /d" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /E" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /n" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /H" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /L" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /T" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /C" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /A" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /Y" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /Z" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /Q" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /w" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /W" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /B" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /t" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /v" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /c" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /o" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /N" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /X" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /J" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /U" wiera.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiera = "C:\\Users\\Admin\\wiera.exe /k" wiera.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe 3696 wiera.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4244 2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe 3696 wiera.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4244 wrote to memory of 3696 4244 2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe 81 PID 4244 wrote to memory of 3696 4244 2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe 81 PID 4244 wrote to memory of 3696 4244 2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe"C:\Users\Admin\AppData\Local\Temp\2b116a2336c43f15d42b5bf3ec65e3e27332d48a71517564ab45e536874edaac.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\wiera.exe"C:\Users\Admin\wiera.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5d1b7fee76ef13ade7659e378a3045a86
SHA15ab17cf23f693c2bc768841876e61959f758ecaa
SHA25625bc7db20db3a5211605d83cb91c01cc7674f0bcf2822797d38bf90f8ae37d96
SHA512c12bef905cb956896ab647712b1d76740861a50d3f8374e67dd6e26d5e2759d07be01754f64b7ca9bafdb1e130d56ac971551eeeae85f39f9f88371a1001b5c5
-
Filesize
260KB
MD5d1b7fee76ef13ade7659e378a3045a86
SHA15ab17cf23f693c2bc768841876e61959f758ecaa
SHA25625bc7db20db3a5211605d83cb91c01cc7674f0bcf2822797d38bf90f8ae37d96
SHA512c12bef905cb956896ab647712b1d76740861a50d3f8374e67dd6e26d5e2759d07be01754f64b7ca9bafdb1e130d56ac971551eeeae85f39f9f88371a1001b5c5