Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 00:07

General

  • Target

    a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe

  • Size

    168KB

  • MD5

    90f61238cd0d1709ac80c24d2e7a87a1

  • SHA1

    f0c1a4cbbd0d69a85de7d7860ffc763d220756d5

  • SHA256

    a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876

  • SHA512

    13b9c41f67327840b8ca80a60015045e196e2f820e35e3082eefba9104f87b76624ded18e922bec6a6deb5ca2144afa87ffe8dd9824187597de3eeeb40c64699

  • SSDEEP

    1536:oVWy3/PPqPFzTGRfu+1niPRI7gIeTo88zQMihZOy+RMnmE7UkAEJZvhICqDojK9:hkPqPFzTGRfu67bNz2hT9nmEA19

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe
    "C:\Users\Admin\AppData\Local\Temp\a8011f951421b4d8c1868791b34aea83ac6829990c86893279afe371052f5876.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\guoyob.exe
      "C:\Users\Admin\guoyob.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\guoyob.exe

    Filesize

    168KB

    MD5

    a2eec86419dbcd39d2676639b3553028

    SHA1

    a51fd5eae0a0939dda9d7420cedf01664b8cd342

    SHA256

    fe02d5dbc95231456a750954d17c0f34fa9f6a03f2ee46cfddfe4eb5eb8ee087

    SHA512

    f85083f821cac57c24303093a6e6accb25837e4c00bdca7769927b05d40cebdf89889f39e28356720271dcc4fefd92068e4b3bad852cfce472f64ebfd9a3a9be