Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 23:23

General

  • Target

    90f83af1b9a84f96494b7e7a6298699710869efb6a7a892a6f66e4a251b0bb38.exe

  • Size

    188KB

  • MD5

    d2e14ee9cce5f853c9030fad44379424

  • SHA1

    68cc4586304f48a0bb057f75d9acac2c3d25b3b3

  • SHA256

    90f83af1b9a84f96494b7e7a6298699710869efb6a7a892a6f66e4a251b0bb38

  • SHA512

    fba4c9b9daa3b549e35ef551a6022c0066ef7194f31a51dc5dc3ed4579c5704295c889422c93d9f2e3e57fe73d4f8970b86667b21a935a71ea3e3c234cd26a8c

  • SSDEEP

    3072:K7fyp+k5ROnFVR5pY0hrDGILpLI0M/Dk4KrfXRdjnbk9bOlezfQnFTTvprw1Wevd:K76p+7CKs0tzXRdjbk9bbyvprww8W

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90f83af1b9a84f96494b7e7a6298699710869efb6a7a892a6f66e4a251b0bb38.exe
    "C:\Users\Admin\AppData\Local\Temp\90f83af1b9a84f96494b7e7a6298699710869efb6a7a892a6f66e4a251b0bb38.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\ywpud.exe
      "C:\Users\Admin\ywpud.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ywpud.exe

    Filesize

    188KB

    MD5

    e32439edb7377fbe5591678ae84284f4

    SHA1

    fdd75942315ca1bb3b2b6d2a6e5cc94850c903f6

    SHA256

    bbabebf18d4479bd672ba0d211991d01a011d4ab4922ff04057ca1051a4d1dd5

    SHA512

    85469905729614d364692e50ae21814971ad7dec1ef55d3666c43a1c69e0e030ffaf404772d1e5b3ac7260ae3e8325816d37b187b0832877622c7f61f3eedfb0