Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01ab435feaef006adef71503c8c45186.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
01ab435feaef006adef71503c8c45186.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
01ab435feaef006adef71503c8c45186.exe
-
Size
48KB
-
MD5
01ab435feaef006adef71503c8c45186
-
SHA1
b8323754af1f8c640046b058760aac1f9f72d937
-
SHA256
b506504cfe3cc382536afd2fe8418e665a823ac5f084ffca6c2c7730c565cfd6
-
SHA512
3abd6ff3798710dced1b60ae152adfa8fbf2616f1c681caea823df80dbf95f03ac9b06b5d0bcaa688a614c14a7814beb06f960eff1b9e5fa0b2e3bf5f33b87a8
-
SSDEEP
768:xJNEhmygKOyEv+6wH9H7MfygXaDMFQXD7e:xJamgOh6NNDsQXD7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cuebud.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 01ab435feaef006adef71503c8c45186.exe -
Executes dropped EXE 1 IoCs
pid Process 1892 cuebud.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuebud = "C:\\Users\\Admin\\cuebud.exe" cuebud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe 1892 cuebud.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4464 01ab435feaef006adef71503c8c45186.exe 1892 cuebud.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 1892 4464 01ab435feaef006adef71503c8c45186.exe 95 PID 4464 wrote to memory of 1892 4464 01ab435feaef006adef71503c8c45186.exe 95 PID 4464 wrote to memory of 1892 4464 01ab435feaef006adef71503c8c45186.exe 95 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89 PID 1892 wrote to memory of 4464 1892 cuebud.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ab435feaef006adef71503c8c45186.exe"C:\Users\Admin\AppData\Local\Temp\01ab435feaef006adef71503c8c45186.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\cuebud.exe"C:\Users\Admin\cuebud.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5fa984bd872b7bf0748e6db52ba75d6d2
SHA12700755edeb8387c5d0c828b1a86cf2bb5c76cd5
SHA256d2a12b951e84f5b2093445aea9effebeddce4e1a6c6a84383f5fb760245872c2
SHA512997cdfc290d70c400ad0b91deae7a90a2356fb5c45e2baa7142907110e86e74741ae963f0730b6a01f5f1233aac67b2c99fb7eacafb938dcab0e249f6e573137