Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

80918d0b25...a4.exe

windows7-x64

8

80918d0b25...a4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    124s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80918d0b25d465737c170e144962392b22a8acaa9c6b2e9f2f36d6657a24a8a4.exe

  • Size

    169KB

  • MD5

    4ca49fcf691cfc82432c64c6704ba471

  • SHA1

    886f8c3be8e607005542c814a276dae939862a94

  • SHA256

    80918d0b25d465737c170e144962392b22a8acaa9c6b2e9f2f36d6657a24a8a4

  • SHA512

    89e7d8975e09a47fd4f81f59098954a14725aae99c49645b7040cced7a00f515ebc2e11d87c76102ea52b81edbaaa08bd72f7a4b08dd7a7d1b917c406731d701

  • SSDEEP

    3072:JBAp5XhKpN4eOyVTGfhEClj8jTk+0hveFB/WmS0lKV0FwM:MbXE9OiTGfhEClq9ROmS5Y

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80918d0b25d465737c170e144962392b22a8acaa9c6b2e9f2f36d6657a24a8a4.exe
    "C:\Users\Admin\AppData\Local\Temp\80918d0b25d465737c170e144962392b22a8acaa9c6b2e9f2f36d6657a24a8a4.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2696
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs
    Filesize

    962B

    MD5

    3e98f611d381e822813d5682a600e01e

    SHA1

    ed6af2bba9c5a7ffcd077d88348ba2cbbe275ac7

    SHA256

    510ca81d772cd8812a4967ea5a4936f8366a122d52f1356127d3e9ba25621833

    SHA512

    7e98aff84e6440132dd55204f2ad78654db79e0d3a603e1e4b972bd61123079e9b52d9ddca7c0e7eee5b5a2ea1c8ffd5a71245fbf6bd7eda99b0da3c6f168367

    Download Submit

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei
    Filesize

    54B

    MD5

    cfe46dd6eb4dfd778e6b52683fc50c83

    SHA1

    78808114a0ccd19c7d6541d44bc3ce97f718fe5f

    SHA256

    b8ce33995d95ccf673f4f13ab56f039f72ef52fb2390ccfb8f44ced271e30ea4

    SHA512

    c4f7fbb8c4400a9a19a6af88166908a178e3ae706476898fb23c45a1caf8fe2756ef00c88fac512319f35a6e17f5cc0fe52ebbc40de95ed306def708ea83ad94

    Download Submit

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat
    Filesize

    3KB

    MD5

    3c6fbcd230a5c2b62887b798739758bc

    SHA1

    8e091201562e64bde173cca98492fc2ded3ecb0b

    SHA256

    4e4de8ff1462f11c343c0a6b204189846a5878ca3613e3a4b108c12df81e2cac

    SHA512

    35f0f20ab7fb371fdb3370dde2df27f6ee6f11fc54382be62082cdd814c431048d841ab6b6a2aa5368444aec37f054697d1b933313f40d7db800a842da04eae4

    Download Submit

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs
    Filesize

    315B

    MD5

    026200f41c262e8b2fe3652a11f5b852

    SHA1

    f511080be21c47ca2712c2b20f4f264e53632744

    SHA256

    554f5325ad10310faea94a33192afb2d0f9f19b92e521e6fe1edf45a224e2865

    SHA512

    fc2b1eee4ff44b7401037619e2daecd3c4d9a5e76322ca702fc394a972eefdb28cf7debeb692d2d1d26dae615f7dc7ebf64e434b5472c88d18a48db62302a290

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    6e68c691f6358bed2031502c17b6f8e6

    SHA1

    7ce8f2779d6d83f8a0e1aa1de8f94574211f72b4

    SHA256

    109e403a80b97b7d0951f3e498e85313e3d8c8d996d1ed91b494f5c09d8c85f9

    SHA512

    c1c57c46208d99c856f2c57e7b2164c5ee16c6dc83361e084c528f4fbadbc6314bb62cbd6c28d151a1dd738b3967f1a3c27070eea99e31d1fe9ed86c916b911d

    Download Submit