Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:13

General

  • Target

    2140b3395f2483e1df158c19b252ad17.exe

  • Size

    252KB

  • MD5

    2140b3395f2483e1df158c19b252ad17

  • SHA1

    d12c788829e0b0c7d13e9eb87ee4866e24f697c7

  • SHA256

    2f7c92580277a9430d2633a8a95aa11382ea07500a356934e3b76d4f5f6581c0

  • SHA512

    6edd950cf6bd6cce037876da15012dc62a0f0158d431c767456a64a52a4ceabe4899d09b4e5a9152d5743a176a5733b83d61c7157d7c2b5057dcfd39f2ccdb88

  • SSDEEP

    6144:WUxi2d1wlx34Z4mwD5eQpYgYV29G6McRgcVXOa/0udzUZZQMQCQQyA8lohYewTEN:Nic4eQpYgWMGYlViQQyBlohHwTE+70/t

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2140b3395f2483e1df158c19b252ad17.exe
    "C:\Users\Admin\AppData\Local\Temp\2140b3395f2483e1df158c19b252ad17.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Users\Admin\waiwiu.exe
      "C:\Users\Admin\waiwiu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\waiwiu.exe

    Filesize

    131KB

    MD5

    4f6bd9cc36992a33294f7f346e1d04c2

    SHA1

    11e88c21a0612f12e9f487bd547a9b369b168a6f

    SHA256

    aa13589220aad23c6c0102df2889b2fe0a3414d5e29bc5a64825a26a25b59d80

    SHA512

    8cb988cb6ceb0b54ca886d8350716d0782a21ed5bba574d76f42598fb7a4b226e8fcea4b74a7cec7fbb720ecec25a5bf080c51dd7593190f6674a44d5539e9d1

  • C:\Users\Admin\waiwiu.exe

    Filesize

    252KB

    MD5

    5b5038b3653e5756cf11f81bd0575dad

    SHA1

    f62c36853d41ee5be5c0f3a46857a0c99ad4838f

    SHA256

    a6045b84d06bfbc3e4255dcbdbcacee1c19b35d20ebceb31881411b9bb77449c

    SHA512

    80401aa5fd763beb6997ea3d65091964c9dd911655005d53560b2233a5514e3c40f1184e2b9b8ef61aa9a849a6919373ed1b7c341889fd27cf51148c8fb25652