Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:38

General

  • Target

    61b41f281da915117c23d048a821ddf7f6a3561188efc19850edd80089ba1ef7.exe

  • Size

    236KB

  • MD5

    29a351e473bde27c0ea1aabfad8e1190

  • SHA1

    504d19e7b9bdb0e9785fd013e94236cb4269bc8f

  • SHA256

    61b41f281da915117c23d048a821ddf7f6a3561188efc19850edd80089ba1ef7

  • SHA512

    cdcd4ecff9167016b4ee78b510657482a0c7a65e486b2e33c2c79a6e833aeaaf957ff1b84a6b9c0215bd6bdf57a935579d3b9389e42f72070a0f4af962733b7a

  • SSDEEP

    3072:1W1brOJt3r4sRIfgNv99m/N7AHBrVzZEDcB/VX/4+QpY6:kiFckIfgN19m/N0F/VX/4+O

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61b41f281da915117c23d048a821ddf7f6a3561188efc19850edd80089ba1ef7.exe
    "C:\Users\Admin\AppData\Local\Temp\61b41f281da915117c23d048a821ddf7f6a3561188efc19850edd80089ba1ef7.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Users\Admin\poojuus.exe
      "C:\Users\Admin\poojuus.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\poojuus.exe

    Filesize

    236KB

    MD5

    d910204f7f0ba6227cf67cf248de5929

    SHA1

    35ffe64f1c6da1f9e5ef69cb9a3e16316bef2a5e

    SHA256

    9f66a23e80e8be634fce56c8db7b5ebb1099b4440bd430b27e5a8cedbab5ece3

    SHA512

    4598d7f4015bfce391b2b35beb8fbb78d57162c541d2780c68a5d0d8aa5987efc4a4c9daf7aee76ea02a66b649abf205ddf428cc8ad4ec9b09ff3d4112fe5bc2