Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 02:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
-
Size
156KB
-
MD5
4c21173ffd09f0d9b4ee2f1ecde02fbe
-
SHA1
232043f5a130c8e06d5d410446bc8250cec7ad3a
-
SHA256
37c309446f0d20c260dca6767a84fb25e9d93a0488ef5d0505a438f09c8e121b
-
SHA512
741d93d47cd51453e3278925637647a00b0f3372859f1260328603658c0741482c63d47de99babe29b0375b896e89a64f5214fb6bd473703a8c5dbcc29fa539f
-
SSDEEP
3072:NsTe4Vcx8jeFvB0Z/I8xSFJKxr2CrIL3NoF0:KmIcvqVuJyr2CML3+i
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yauojeg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe -
Executes dropped EXE 1 IoCs
pid Process 2180 yauojeg.exe -
Loads dropped DLL 2 IoCs
pid Process 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /q" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /j" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /v" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /c" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /n" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /o" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /d" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /m" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /x" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /x" 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /y" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /s" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /l" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /g" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /r" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /a" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /f" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /z" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /t" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /w" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /k" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /h" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /p" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /i" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /e" yauojeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauojeg = "C:\\Users\\Admin\\yauojeg.exe /u" yauojeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe 2180 yauojeg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 2180 yauojeg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2180 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 28 PID 1652 wrote to memory of 2180 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 28 PID 1652 wrote to memory of 2180 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 28 PID 1652 wrote to memory of 2180 1652 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe"C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\yauojeg.exe"C:\Users\Admin\yauojeg.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5c01e274f6e3dace465e5b5d1ce45a3dc
SHA171e06d2c8b81b5121686c9ceff4d7c22925022aa
SHA2560fc33e183cd7237b1e83afe46cd5cf244b55c039c6ee2c534f7a3c4dc8f6df9e
SHA5126d3bdaacaef1cc69f7b2830efd0fe04a151c6aa326341271b6caf1094332dd693c64a7775ddb01509e1fcb73253ae3e7276873c49c4f2c56f9b9959f756ca160
-
Filesize
93KB
MD56e9cd288dd3fcd9882ead3bcd2a55947
SHA1d37b74c2b89f709e983d2b2ebbcf92474d4940e3
SHA256f7bf6bf3782b314efe404394308a38c9b975339fc6112f2f5768175645c15bb6
SHA512f2e8a6b2ea55af0e4e4eb1828da1ce6d49ab0355bfddaec4c57cb9a5480eb8b629faa7ddfec36aea7043c7ab7144b110cbe1ef0fe84d9b84ed0110fea3f2458d