Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    164s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2022, 03:52

General

  • Target

    0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe

  • Size

    169KB

  • MD5

    4283ff6fdc51323418be4898f73b8590

  • SHA1

    9a58752307f4883be5d7de8dd2f63905ce3f73e0

  • SHA256

    0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d

  • SHA512

    9aa89c4c970027094f9ea6194c8a51ef8091e39a7e8ba8cd10b5ba6a2939b1010cd34a4339e6f5c424ccc63e33287624df447f2d786baf10b6c96cb31c8e4405

  • SSDEEP

    3072:3BAp5XhKpN4eOyVTGfhEClj8jTk+0hXusqqs2D80jorK48l1mDAcjhUsP:6bXE9OiTGfhEClq97qNZjA8TmfP

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
    "C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:4344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:2100
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat

    Filesize

    60B

    MD5

    258d8136cd3c8432f1a081b556a21506

    SHA1

    a7c0e77f17798c228e3474b468f1367fb6c60345

    SHA256

    ebb8f6bf622daa7419d7f4033a88e7f42f1b17884bc93227f39059a9220b0185

    SHA512

    217296f331d1004be31a635619cb558430f3f679d62e1775f386f093d7700826fb384daa19fc6fac4d2ae172d861800b46e13ad3632b1fc2a684b31cafd66276

  • C:\Program Files (x86)\deli_jedi\spinogriz\TheInternationalFran.chi

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs

    Filesize

    352B

    MD5

    f4ae0b1ba546e671236d25fd080086ff

    SHA1

    dc7376d6cf3c1817d7075dfeb2a29794bb264e8b

    SHA256

    9f7e2f2c6be9a9aa9b73125ba4de5b545b4a531958b1871b782db4a176979b7a

    SHA512

    ce3eddfaa803e5374165553e60ac70cf57b0901635511b8e601ea54cc92f2b27824c2771b1c2a09ffc841e50c936260411d08777ea3a87139111183a7d18f38f

  • C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs

    Filesize

    1KB

    MD5

    98e4ff92d90de50f2c4c5d49f2236bfb

    SHA1

    0f04889c92cf9cab3900a8cc1e1141803fa95fbf

    SHA256

    298c7e610f7bd5f1cda0a9da69fbfe469db7856af6b61de0019ba1bc52773805

    SHA512

    3d32a3d513da0179ad3722c3facb3da60ddb6ce3f5428976f247cf766e42be6ab19e8e5edc5daddf2285015c57fd63a0aa31938df793f78f489e88cd22ff0eca

  • C:\Program Files (x86)\deli_jedi\spinogriz\ourceoffranchiseinf.or

    Filesize

    56B

    MD5

    33243862ff997cdc12ddc6e5af696693

    SHA1

    09a7587fe08458cfde973d60a4d2dc992906b4e2

    SHA256

    6b7c065ccb61fc5c6c52e939e5f2dcfd3de99e46ee7f7d3632614aa2f6514162

    SHA512

    d3fdecb19fd5b063be5bae394597178f5643390c21808d4c9dea6361cbb4a764d613f802e9c8a3ea7a4c1bb96d6f805137ef2ad5e361875e68b6c5b01564ed6c

  • C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat

    Filesize

    3KB

    MD5

    455d28196dd32bfdc43d98f03ba56578

    SHA1

    a22e664b456435b555e5e35aac63f1ade6a8f532

    SHA256

    6d3a4d67768bd3d1fa76cb7d0fcaf7b2f8322c084ce4ea1d19e00e9da7228f99

    SHA512

    4754238540c9f5ecea93343a74645c84b12a45ed6455408e822810b8e96f519482fa7b0766666e92cb93bc6865fb820c4208cead0ecfa44e09d1750bef702155

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    f07d07c7aba283275e6b90e2160fda7c

    SHA1

    c942ba833627345a8b01de4a667989864d8a1769

    SHA256

    2318fa9d3959912f8451541619fe23d4eed7a4b32d332154e106b013d63944c1

    SHA512

    efe99d973a0facc3f25a9de3672a528519939f7d9c83938d067a8f8ee27d7104e47f2379765b2bd725fd1b5ed3a21c16f7cb52c222e71ed71bdfead940d40e25