Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
PHOTO-DEVOCHKA.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PHOTO-DEVOCHKA.exe
Resource
win10v2004-20220812-en
General
-
Target
PHOTO-DEVOCHKA.exe
-
Size
151KB
-
MD5
f3eb24ff9098c4525c31b2b041dc91c8
-
SHA1
941064dbc83fe92a2e088f0514edda294d63981a
-
SHA256
f77442dbb007b1378b5636d6e0d7fd2c52caf5dacc17aa1ff6db65c825b4ab63
-
SHA512
229b4e9b50312b9c621438d840e46e28c5d4111341e37750dd56b6b25761c3b48850ec908ce516d9962b024bd64a0d3b776c23ab58c91f10fb7f1846f3376ec6
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiDR7ibWyvAYT1:AbXE9OiTGfhEClq9pR7iHV
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 11 2240 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PHOTO-DEVOCHKA.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\ne_zabudu_nikogda.ico PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\kakiento_nmomenti.ne_trudni.v.vozd PHOTO-DEVOCHKA.exe File created C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.ini PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs PHOTO-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.exe PHOTO-DEVOCHKA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings PHOTO-DEVOCHKA.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1424 wrote to memory of 4332 1424 PHOTO-DEVOCHKA.exe 84 PID 1424 wrote to memory of 4332 1424 PHOTO-DEVOCHKA.exe 84 PID 1424 wrote to memory of 4332 1424 PHOTO-DEVOCHKA.exe 84 PID 4332 wrote to memory of 2240 4332 cmd.exe 86 PID 4332 wrote to memory of 2240 4332 cmd.exe 86 PID 4332 wrote to memory of 2240 4332 cmd.exe 86 PID 1424 wrote to memory of 3596 1424 PHOTO-DEVOCHKA.exe 87 PID 1424 wrote to memory of 3596 1424 PHOTO-DEVOCHKA.exe 87 PID 1424 wrote to memory of 3596 1424 PHOTO-DEVOCHKA.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs"3⤵
- Blocklisted process makes network request
PID:2240
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs"2⤵
- Drops file in Drivers directory
PID:3596
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
1KB
MD5e0825bb524c2ec0b313231e7700a112a
SHA181b3a3eb687bbb9856d1e4c60ca0f2956416ccfd
SHA256ec7934e82ef82344333264bf52b45e02d303d96b83bb1fc87553590cab92c233
SHA5127e0c1c18c04513054f427e3071ebe7c899699fb042e7cc43a11bcb9498cea9ce113b1b3fd9c70fbddd19b6fb8f1000d296a29ab5a5c1b043606a6b970278afe5
-
Filesize
3KB
MD5331d23893bcbf30ed77839e245354641
SHA14b01c5e89995d009b3d55b5cfdb712fe74cd0892
SHA256cbfd39d7e49af78cb46e5a92acfc3ecd46c2eec52c9270339835ead705e9a251
SHA512a652b716bc32ba9f880cf0597a024d66e0daf28e280e92ceba390f3f9cbe7bd3495bc3316f084268c8613777f46e96e8c1394213d71e2d4c201ac20e6a400910
-
Filesize
265B
MD5cc35fc94e4701d3af54282a4f5839536
SHA1a55b6b82143227c25b1ff998a1da457a489f012a
SHA256f1d5bc3d03813417b90d44b5cbb8c119fa90962330d96b4005f0198633c277c8
SHA5121480786317e6e6ddc2068fa3cc2036c905dbfe35e2241b35933cc0419cdebe6de3b09778a7645b4917a71dc48aaa6756e567283f59434c63e4226b2ec78ce0d9
-
Filesize
89B
MD5494e4f5c6731bce0964e578708164f6b
SHA1d917975cd46f8ff88a80ab3b26d7b8816d108335
SHA2560e82235c770563b94a07287009963130cde3b0642db701b7e3b5c3fac5e64a70
SHA512d001db93eda7372d88d5fdba41ac3d84d6d2398333660af216dfc59ce0377bb5cd20e5b39ca736b2591337dffd01ed4bfc688fcaba196ed705a8eba7275359b6
-
Filesize
1KB
MD5e4052dfb3eb9ed5a08c840ef4c94dae0
SHA1a0c8e665659f19d42ac2752b54f735fafdc91178
SHA25621dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0
SHA512f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79