Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
3c52f11c85d435cd9524e69108e2c0aa.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3c52f11c85d435cd9524e69108e2c0aa.exe
Resource
win10v2004-20231215-en
General
-
Target
3c52f11c85d435cd9524e69108e2c0aa.exe
-
Size
204KB
-
MD5
3c52f11c85d435cd9524e69108e2c0aa
-
SHA1
a6ae49b54f17477341438226651b140db0224ddd
-
SHA256
3f09d8d557df70884689de44ca9ce291d8d037e0136e2be3ea7a236cd52d339f
-
SHA512
0eccb09d52f738834eb0236b2cd0ea4a417d083fccbc694d9188643955ff0ce40387ca7a25af17130fcc15d1e5ab407ddf9a33d9ef8317d9c1dd22628c83998d
-
SSDEEP
3072:mmqW8e0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWcx:B/h4QxL7B9W0c1RCzR/fSmlX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3c52f11c85d435cd9524e69108e2c0aa.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" saaseut.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 3c52f11c85d435cd9524e69108e2c0aa.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 saaseut.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /v" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /o" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /t" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /r" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /f" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /q" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /p" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /i" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /w" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /j" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /d" 3c52f11c85d435cd9524e69108e2c0aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /u" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /d" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /s" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /l" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /x" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /a" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /n" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /m" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /y" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /g" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /c" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /z" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /b" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /e" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /h" saaseut.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saaseut = "C:\\Users\\Admin\\saaseut.exe /k" saaseut.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe 3040 saaseut.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 3040 saaseut.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4768 wrote to memory of 3040 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 93 PID 4768 wrote to memory of 3040 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 93 PID 4768 wrote to memory of 3040 4768 3c52f11c85d435cd9524e69108e2c0aa.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c52f11c85d435cd9524e69108e2c0aa.exe"C:\Users\Admin\AppData\Local\Temp\3c52f11c85d435cd9524e69108e2c0aa.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\saaseut.exe"C:\Users\Admin\saaseut.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD59915bab905e98517521c04a639fcf246
SHA1f8b571e3d8a8860f606528f823c8ff7dc7dc4512
SHA2564afb9f60b42c97bab936fbb3a611d5e76e42f739a9b1db5faad70446b090e279
SHA512c7662cac88c3bcbe51264aaa940ce689e146e1d2a3e08783c5cb486d142cb415f02ad559222fec5d517abf54e1a9cf27bf655ab9f9dca7fb4c551587b1a5cb63