Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3de679d46d7af04fb19fec872658950N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3de679d46d7af04fb19fec872658950N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
c3de679d46d7af04fb19fec872658950N.exe
-
Size
60KB
-
MD5
c3de679d46d7af04fb19fec872658950
-
SHA1
715a2062a806ad6ac2c1bd8915b4175cbd9432b5
-
SHA256
033a9bdf81cd99f3aac4ccd914b91de59ec3c7ab0aa825511487675f3017816d
-
SHA512
cae8bdf84fbd586d32c21386e16fa9f6ea459fbbce3f02d32fc6061763ab603307d9184ae2e19f261840a3fa185a358eaee28b77219d25dc8e0aecf5abb7b766
-
SSDEEP
768:ETgAcnILz6H4PwVjHovQ/o/THkbAqs3OfKDHGlHRJ6Wd:ETCy0CQjH2oQ+RJ6Wd
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puoiw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation c3de679d46d7af04fb19fec872658950N.exe -
Executes dropped EXE 1 IoCs
pid Process 3408 puoiw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puoiw = "C:\\Users\\Admin\\puoiw.exe" puoiw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe 3408 puoiw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3428 c3de679d46d7af04fb19fec872658950N.exe 3408 puoiw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3428 wrote to memory of 3408 3428 c3de679d46d7af04fb19fec872658950N.exe 89 PID 3428 wrote to memory of 3408 3428 c3de679d46d7af04fb19fec872658950N.exe 89 PID 3428 wrote to memory of 3408 3428 c3de679d46d7af04fb19fec872658950N.exe 89 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83 PID 3408 wrote to memory of 3428 3408 puoiw.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe"C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\puoiw.exe"C:\Users\Admin\puoiw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f5cbef808981b1824e4c1c657e6e046c
SHA1cd982b04d3bf27b2170f10092fea9dda46b47479
SHA256c3c50d0427c8e413346b4f71c75b38e161b022090f461ce0b462334e74806cdd
SHA51207c81df19457bb6a461bb7461913bf749f8fa83cf866f069e4657d23838d596c55d77baa3840b4cc01626afd20e4257ed5adcd494857f43ca24724ed7ee0e4cd