Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    124s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 02:19

General

  • Target

    13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe

  • Size

    168KB

  • MD5

    6e9e80d1fb531f6dc3fed7bb456f5ff0

  • SHA1

    3af891b7f088113133cdc403f406e98555ccf69f

  • SHA256

    13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23

  • SHA512

    faad7eab0b14d6b846ba96aba2b453094ab1bd68d2114deaa94292e3279f0e4f810735989dec1d16ad0bd3d78e6936ce902b394fc9e51758262b701246b17b0c

  • SSDEEP

    3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hKWuOVEXIC1YDuKPeTx:WbXE9OiTGfhEClq9IuOVEXIgY5GTx

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
    "C:\Users\Admin\AppData\Local\Temp\13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\minet\miss\TURboPenis_tehno_prank.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:5036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\minet\miss\horocho_bistro.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\minet\miss\smoki_mo_mo_mo.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:5112
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\minet\miss\trehochkovi_ne_dlya.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\minet\miss\TURboPenis_tehno_prank.bat

    Filesize

    1002B

    MD5

    e6544067c14194ed3aad4287a550ca34

    SHA1

    a4696d60f203d5cabddfa09f7cf76d7479c5071a

    SHA256

    b8dabf4a2a5b89daea016893e634eae6442dac4055b3f3644902393183e8eddf

    SHA512

    e6d691b3f322160798ca2dddf7acab25d9b7687963a0dd059045e55f166e0b6b0ee0ea41ccf216134d2e89f36e120c1a148564fa9dc5bd7596b19556fcd21ba3

  • C:\Program Files (x86)\minet\miss\horocho_bistro.bat

    Filesize

    74B

    MD5

    dfab498697ae778951b7e83e9490bacb

    SHA1

    944895997702cfa3c5a6119dd827e11564ec86b7

    SHA256

    8c605c4e8f2390ae1bd8a6deac2abab7640cf65098c908eea241e64776af472e

    SHA512

    8fe48e0fe420d9947fd18bd724519e786f2032bf92229fd2d44739894e6d5dd5e03bd6ac11531389f1dcbed8598773498697657d3ad9f2c6139eebd1eb82e082

  • C:\Program Files (x86)\minet\miss\lock_docg_snop_dog.rrr

    Filesize

    41B

    MD5

    7c7a14ba40f5a6b58e44d800b9045672

    SHA1

    a104302caf1297e2c2d634dcf43be564c8a98ef9

    SHA256

    9f32b86f0c233ef0cdf4f65b2dc5460659bd13b78400209d24313aed7c43d4fd

    SHA512

    d47feffbaa1c2e1d9af118ab1e43429e7e5c96a7eed2d2c811168b67463ddae810e58182843638fd68a37696a3ac71d1ebda3f7a65388a470a392b51ab99daa5

  • C:\Program Files (x86)\minet\miss\shabash.log

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\minet\miss\smoki_mo_mo_mo.vbs

    Filesize

    744B

    MD5

    0c3f12aca53136ac4d6ece456f477085

    SHA1

    0403e611c28d23113d4f59d83fc35db4b49970b5

    SHA256

    6bfaf8ec8bc891bb757df1db5b8430cd6079b4ad3c2c684546d09738d521dd0d

    SHA512

    5537a961ed7eff90abfe74b7671e2043abddde2f6bf308869bc0713eb79bbdcab81589bce051c127e8f0d86d9c216665561f33a56982a1a879098ebe0e177767

  • C:\Program Files (x86)\minet\miss\trehochkovi_ne_dlya.vbs

    Filesize

    277B

    MD5

    8fa05a4e0971a87daf9debdd52b84913

    SHA1

    a918aee2ed0391a2aabf7177fe0521a2e143badf

    SHA256

    3dae8d9315accee2a22500af58a93f5348542e7107238ff8a1bd66002518ad16

    SHA512

    51eb40837c9ddb31415fa00d3997aed568c82060a60c41cb4a1e6bada1091f18ded63c102a113880b899b34e116797d42f9fffb8d293907368bb720265139bd0

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    f9641f9b0d06696abe6d29e2841b2c7c

    SHA1

    b8e4e1b432b7dd572b16f850456043e23c0f2f76

    SHA256

    1cac219765e0726d74e0a1546d121e28843e661b29f9090115c7a4a56ebf5799

    SHA512

    d85bb9ab724c0255959dbff0cd679413807cd5d5307db5406c1b38902961727835efa46d932ce295482ee898be090ae89a9c13cf487ef9af53007901ba651128