Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 13:39

General

  • Target

    a93f49cdecf6e3a1002286682f19a3a5.exe

  • Size

    60KB

  • MD5

    a93f49cdecf6e3a1002286682f19a3a5

  • SHA1

    fa4f4e951a27cb3ce178a09214c9be71d63519fb

  • SHA256

    fbe71273f4f34f65257a80646574b6951d3566799ffe2531353c0bb01a9a79a6

  • SHA512

    1639fab5d3a2a2296c9310d7ed00652f1073f59da332ff2371ad67870cccbf9e9cd3844c4cb4296cde5fba3bda6eaa9387b8e66ba3d9fdaff2b1d04e5a2c7523

  • SSDEEP

    768:hXSmpnBmNVpmkeu76+9A/v/bVlbdfs3OfKDHGIHY56W7:hXSNp+u76y43wY56W7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a93f49cdecf6e3a1002286682f19a3a5.exe
    "C:\Users\Admin\AppData\Local\Temp\a93f49cdecf6e3a1002286682f19a3a5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\vauwa.exe
      "C:\Users\Admin\vauwa.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vauwa.exe

    Filesize

    60KB

    MD5

    a7fc9563b6e2ecb7b467e542fe22f456

    SHA1

    d4f2ae00225ce394e31fe1e7e406edc2b82bad5b

    SHA256

    e34a88dcf8335a7f18188c5e0ef852c3e63b0798fea814603c833fc77b700ac9

    SHA512

    6b484800d8776912b2100621ff3f26dd1c07095d0de2162727dc7cb50b51ffb5ba02744d252da2886771bb87054d7064c6138bd78e52cf18df73407087cb2fa4