Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21/10/2022, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
Resource
win10v2004-20220812-en
General
-
Target
0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
-
Size
169KB
-
MD5
4283ff6fdc51323418be4898f73b8590
-
SHA1
9a58752307f4883be5d7de8dd2f63905ce3f73e0
-
SHA256
0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d
-
SHA512
9aa89c4c970027094f9ea6194c8a51ef8091e39a7e8ba8cd10b5ba6a2939b1010cd34a4339e6f5c424ccc63e33287624df447f2d786baf10b6c96cb31c8e4405
-
SSDEEP
3072:3BAp5XhKpN4eOyVTGfhEClj8jTk+0hXusqqs2D80jorK48l1mDAcjhUsP:6bXE9OiTGfhEClq97qNZjA8TmfP
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1876 WScript.exe 4 1876 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\TheInternationalFran.chi 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\or join your favorite.fran 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\Uninstall.exe 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File created C:\Program Files (x86)\deli_jedi\spinogriz\Uninstall.ini 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\International Franchise.qq 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\ourceoffranchiseinf.or 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe File opened for modification C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1428 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 27 PID 1228 wrote to memory of 1428 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 27 PID 1228 wrote to memory of 1428 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 27 PID 1228 wrote to memory of 1428 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 27 PID 1228 wrote to memory of 1168 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 29 PID 1228 wrote to memory of 1168 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 29 PID 1228 wrote to memory of 1168 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 29 PID 1228 wrote to memory of 1168 1228 0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe 29 PID 1168 wrote to memory of 2036 1168 cmd.exe 31 PID 1168 wrote to memory of 2036 1168 cmd.exe 31 PID 1168 wrote to memory of 2036 1168 cmd.exe 31 PID 1168 wrote to memory of 2036 1168 cmd.exe 31 PID 1168 wrote to memory of 1876 1168 cmd.exe 32 PID 1168 wrote to memory of 1876 1168 cmd.exe 32 PID 1168 wrote to memory of 1876 1168 cmd.exe 32 PID 1168 wrote to memory of 1876 1168 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe"C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat" "2⤵
- Drops file in Drivers directory
PID:1428
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs"3⤵
- Drops file in Drivers directory
PID:2036
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs"3⤵
- Blocklisted process makes network request
PID:1876
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5258d8136cd3c8432f1a081b556a21506
SHA1a7c0e77f17798c228e3474b468f1367fb6c60345
SHA256ebb8f6bf622daa7419d7f4033a88e7f42f1b17884bc93227f39059a9220b0185
SHA512217296f331d1004be31a635619cb558430f3f679d62e1775f386f093d7700826fb384daa19fc6fac4d2ae172d861800b46e13ad3632b1fc2a684b31cafd66276
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
352B
MD5f4ae0b1ba546e671236d25fd080086ff
SHA1dc7376d6cf3c1817d7075dfeb2a29794bb264e8b
SHA2569f7e2f2c6be9a9aa9b73125ba4de5b545b4a531958b1871b782db4a176979b7a
SHA512ce3eddfaa803e5374165553e60ac70cf57b0901635511b8e601ea54cc92f2b27824c2771b1c2a09ffc841e50c936260411d08777ea3a87139111183a7d18f38f
-
Filesize
1KB
MD598e4ff92d90de50f2c4c5d49f2236bfb
SHA10f04889c92cf9cab3900a8cc1e1141803fa95fbf
SHA256298c7e610f7bd5f1cda0a9da69fbfe469db7856af6b61de0019ba1bc52773805
SHA5123d32a3d513da0179ad3722c3facb3da60ddb6ce3f5428976f247cf766e42be6ab19e8e5edc5daddf2285015c57fd63a0aa31938df793f78f489e88cd22ff0eca
-
Filesize
56B
MD533243862ff997cdc12ddc6e5af696693
SHA109a7587fe08458cfde973d60a4d2dc992906b4e2
SHA2566b7c065ccb61fc5c6c52e939e5f2dcfd3de99e46ee7f7d3632614aa2f6514162
SHA512d3fdecb19fd5b063be5bae394597178f5643390c21808d4c9dea6361cbb4a764d613f802e9c8a3ea7a4c1bb96d6f805137ef2ad5e361875e68b6c5b01564ed6c
-
Filesize
3KB
MD5455d28196dd32bfdc43d98f03ba56578
SHA1a22e664b456435b555e5e35aac63f1ade6a8f532
SHA2566d3a4d67768bd3d1fa76cb7d0fcaf7b2f8322c084ce4ea1d19e00e9da7228f99
SHA5124754238540c9f5ecea93343a74645c84b12a45ed6455408e822810b8e96f519482fa7b0766666e92cb93bc6865fb820c4208cead0ecfa44e09d1750bef702155
-
Filesize
1KB
MD5f07d07c7aba283275e6b90e2160fda7c
SHA1c942ba833627345a8b01de4a667989864d8a1769
SHA2562318fa9d3959912f8451541619fe23d4eed7a4b32d332154e106b013d63944c1
SHA512efe99d973a0facc3f25a9de3672a528519939f7d9c83938d067a8f8ee27d7104e47f2379765b2bd725fd1b5ed3a21c16f7cb52c222e71ed71bdfead940d40e25