Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
69s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 14:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7529babe2d26fe59fdad435594befd91.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7529babe2d26fe59fdad435594befd91.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
7529babe2d26fe59fdad435594befd91.exe
-
Size
48KB
-
MD5
7529babe2d26fe59fdad435594befd91
-
SHA1
c1c5e1b70ba94ee4a8e7f365c80dfd8abe297250
-
SHA256
4ffb4c60ef8649fdb11e0ed86fab9df6e6b34ea1e86417aca1eb9e5ae7f61464
-
SHA512
fab659ca1a11182434d60c2a2b4b98002312a05bae1b1bf4290b69c771cfddc23f259489ce19bbd047795918606bb2d0afaa67ffa613b2ee86669be4713e623c
-
SSDEEP
768:26NEhmqg90TiUv+6wH9H7MfygXaDMFQXD7e:26amLDC6NNDsQXD7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xoausud.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 7529babe2d26fe59fdad435594befd91.exe -
Executes dropped EXE 1 IoCs
pid Process 4196 xoausud.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoausud = "C:\\Users\\Admin\\xoausud.exe" xoausud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe 4196 xoausud.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4488 7529babe2d26fe59fdad435594befd91.exe 4196 xoausud.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4488 wrote to memory of 4196 4488 7529babe2d26fe59fdad435594befd91.exe 94 PID 4488 wrote to memory of 4196 4488 7529babe2d26fe59fdad435594befd91.exe 94 PID 4488 wrote to memory of 4196 4488 7529babe2d26fe59fdad435594befd91.exe 94 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79 PID 4196 wrote to memory of 4488 4196 xoausud.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\7529babe2d26fe59fdad435594befd91.exe"C:\Users\Admin\AppData\Local\Temp\7529babe2d26fe59fdad435594befd91.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\xoausud.exe"C:\Users\Admin\xoausud.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5c0b2f7d74f7ace568efc652c59959445
SHA16114e69f0b2da08ad0cf1e5bd93166885816acd8
SHA256aa765366dbf7ed1435c91eb0b24c8dc82eea8825a768adaa696ba56df9e13c27
SHA51232be4502a698df4ba52baeaadeb9d674f3516be08e19af9c0483021c879c00853f6cae623f21cd3bfe3c0a1eb641103e9ab48bc66c7be0bb7d0a0360c82745a4