Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    85s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 15:30

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    151KB

  • MD5

    f3eb24ff9098c4525c31b2b041dc91c8

  • SHA1

    941064dbc83fe92a2e088f0514edda294d63981a

  • SHA256

    f77442dbb007b1378b5636d6e0d7fd2c52caf5dacc17aa1ff6db65c825b4ab63

  • SHA512

    229b4e9b50312b9c621438d840e46e28c5d4111341e37750dd56b6b25761c3b48850ec908ce516d9962b024bd64a0d3b776c23ab58c91f10fb7f1846f3376ec6

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiDR7ibWyvAYT1:AbXE9OiTGfhEClq9pR7iHV

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2240
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:3596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs

    Filesize

    1KB

    MD5

    e0825bb524c2ec0b313231e7700a112a

    SHA1

    81b3a3eb687bbb9856d1e4c60ca0f2956416ccfd

    SHA256

    ec7934e82ef82344333264bf52b45e02d303d96b83bb1fc87553590cab92c233

    SHA512

    7e0c1c18c04513054f427e3071ebe7c899699fb042e7cc43a11bcb9498cea9ce113b1b3fd9c70fbddd19b6fb8f1000d296a29ab5a5c1b043606a6b970278afe5

  • C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat

    Filesize

    3KB

    MD5

    331d23893bcbf30ed77839e245354641

    SHA1

    4b01c5e89995d009b3d55b5cfdb712fe74cd0892

    SHA256

    cbfd39d7e49af78cb46e5a92acfc3ecd46c2eec52c9270339835ead705e9a251

    SHA512

    a652b716bc32ba9f880cf0597a024d66e0daf28e280e92ceba390f3f9cbe7bd3495bc3316f084268c8613777f46e96e8c1394213d71e2d4c201ac20e6a400910

  • C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs

    Filesize

    265B

    MD5

    cc35fc94e4701d3af54282a4f5839536

    SHA1

    a55b6b82143227c25b1ff998a1da457a489f012a

    SHA256

    f1d5bc3d03813417b90d44b5cbb8c119fa90962330d96b4005f0198633c277c8

    SHA512

    1480786317e6e6ddc2068fa3cc2036c905dbfe35e2241b35933cc0419cdebe6de3b09778a7645b4917a71dc48aaa6756e567283f59434c63e4226b2ec78ce0d9

  • C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik

    Filesize

    89B

    MD5

    494e4f5c6731bce0964e578708164f6b

    SHA1

    d917975cd46f8ff88a80ab3b26d7b8816d108335

    SHA256

    0e82235c770563b94a07287009963130cde3b0642db701b7e3b5c3fac5e64a70

    SHA512

    d001db93eda7372d88d5fdba41ac3d84d6d2398333660af216dfc59ce0377bb5cd20e5b39ca736b2591337dffd01ed4bfc688fcaba196ed705a8eba7275359b6

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    e4052dfb3eb9ed5a08c840ef4c94dae0

    SHA1

    a0c8e665659f19d42ac2752b54f735fafdc91178

    SHA256

    21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

    SHA512

    f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79