Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 13:49

General

  • Target

    c3de679d46d7af04fb19fec872658950N.exe

  • Size

    60KB

  • MD5

    c3de679d46d7af04fb19fec872658950

  • SHA1

    715a2062a806ad6ac2c1bd8915b4175cbd9432b5

  • SHA256

    033a9bdf81cd99f3aac4ccd914b91de59ec3c7ab0aa825511487675f3017816d

  • SHA512

    cae8bdf84fbd586d32c21386e16fa9f6ea459fbbce3f02d32fc6061763ab603307d9184ae2e19f261840a3fa185a358eaee28b77219d25dc8e0aecf5abb7b766

  • SSDEEP

    768:ETgAcnILz6H4PwVjHovQ/o/THkbAqs3OfKDHGlHRJ6Wd:ETCy0CQjH2oQ+RJ6Wd

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe
    "C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\puoiw.exe
      "C:\Users\Admin\puoiw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\puoiw.exe

    Filesize

    60KB

    MD5

    f5cbef808981b1824e4c1c657e6e046c

    SHA1

    cd982b04d3bf27b2170f10092fea9dda46b47479

    SHA256

    c3c50d0427c8e413346b4f71c75b38e161b022090f461ce0b462334e74806cdd

    SHA512

    07c81df19457bb6a461bb7461913bf749f8fa83cf866f069e4657d23838d596c55d77baa3840b4cc01626afd20e4257ed5adcd494857f43ca24724ed7ee0e4cd