Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe
Resource
win10v2004-20240412-en
General
-
Target
0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe
-
Size
76KB
-
MD5
1588dc7d8a815648d291e3c6f24a3f2c
-
SHA1
99cdd498657f40aa531df08c93e5eeb9cc9f2fef
-
SHA256
0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82
-
SHA512
9aa2f0ba85b5a172cf7d40413a221f1ba7c3bd7b1371f79eafd2ae5d575c9fba0cc31544ac0771cd5149d268f89e89d91a81129c49fd9b343d8ea5acc1200059
-
SSDEEP
768:xMIrCOtyLoW0+xOF4/i/BEYkp7P6lweQDhDmpU5GFrrEzWsdSE0d8pUHIkI0Inn8:xJWp3xO+2G40OIkan8
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ybquw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe -
Executes dropped EXE 1 IoCs
pid Process 4444 ybquw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ybquw = "C:\\Users\\Admin\\ybquw.exe" ybquw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe 4444 ybquw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4408 0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe 4444 ybquw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4444 4408 0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe 89 PID 4408 wrote to memory of 4444 4408 0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe 89 PID 4408 wrote to memory of 4444 4408 0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe"C:\Users\Admin\AppData\Local\Temp\0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\ybquw.exe"C:\Users\Admin\ybquw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD52914466ab5d7c5af40ba66b0e8b1c745
SHA1595600f9e88f06485770415762867015d05c1125
SHA256bfc83267e72d0e29847da74e55a8aeeb37bf4e050fbb41f7d861f50e5925b0f9
SHA512c1b60a6cd6161b305e0c2b69033aec9c7c2d9b7e0649a59dc6b5a1a681f7cbcb49e5824492e2d63bd7ece4771acbea1b633ecbc03010e2cb753b1fefe2b38836