Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 15:59

General

  • Target

    d60d07dd728acecdf3898e33599e284bc19fb3ac5013b0d6fa4e8b82183662cd.exe

  • Size

    128KB

  • MD5

    f870148d9ce643b9338aefd1a3692619

  • SHA1

    b2e7d8755c47b02018467b26dd2ca7d8abb8b568

  • SHA256

    d60d07dd728acecdf3898e33599e284bc19fb3ac5013b0d6fa4e8b82183662cd

  • SHA512

    131eb2ee2c2de951e8e0539d799252e1e5440834b402d9863e5ab74942913e541a08ff882d046e32a572a2e2dae551bb0f3109afebfd4ee939c646c4901c24f3

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6cMA:PbXE9OiTGfhEClq9FKxAA

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d60d07dd728acecdf3898e33599e284bc19fb3ac5013b0d6fa4e8b82183662cd.exe
    "C:\Users\Admin\AppData\Local\Temp\d60d07dd728acecdf3898e33599e284bc19fb3ac5013b0d6fa4e8b82183662cd.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\No\Ji\s0lai1______________a.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\No\Ji\anuiatorl.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:4840
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\No\Ji\ldkdkdkd.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\No\Ji\anuiatorl.vbs

    Filesize

    1KB

    MD5

    4de77ce678bea7ff0b586f5f25a706f4

    SHA1

    091ff8f3072988db2812cc0491f1c8d55a3c9304

    SHA256

    cc4b93ae7db6d9106dc1daf08cde883c324d5f3e757b31fac071ab36cad6ad04

    SHA512

    4a854f4c1f9442e00492c172e663f5f3973ea238a333088e01698fb86e68600d01e66018ee42e7e0281823a31ba1bc44cfddcb2cabcc109b71c8e0f4e5003fd4

  • C:\Program Files (x86)\No\Ji\ho.lod

    Filesize

    115B

    MD5

    0e1a159fb81f603792b1ccb128165db7

    SHA1

    2c6bab6f74aa6979fe850571f8b6b0681bee0df8

    SHA256

    61d70bebc0c93e64ca7bc10c43196bbd531c87517f6a3670cabd70e0be7fcb16

    SHA512

    807b276d1fce948f12eee26266620f647e4405506866000ce965bbce696ab599a0a7a3a5fec1f4d21a1b32eec609ccddd92e36da0a08383be0575ca5cd8f34c4

  • C:\Program Files (x86)\No\Ji\ldkdkdkd.vbs

    Filesize

    260B

    MD5

    0fb2885037c9478d0def53c71089457d

    SHA1

    dc6d1f43b80ed3534e3dda6c52b0cb19795949ba

    SHA256

    faf712947b873252048dbf0df629f13d87ad116051ffbd81be3de4d41016885c

    SHA512

    e3dc85fcb6c7df3bac112f0dca10dfadf3f977023b5595d38b1fe0d090fb249afb78c4197cea32cc1b609e4606ad817d69a7b66eb330c9af29eeebf43315f18b

  • C:\Program Files (x86)\No\Ji\napri.mer

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\No\Ji\s0lai1______________a.bat

    Filesize

    1KB

    MD5

    fb310a60fcdea3a67f0d1f8379acfa0b

    SHA1

    536b6f825df0bac69ee3fe0bf413686bd4daf887

    SHA256

    ea241102723ad1ad1888e12245dea96e79938c92f29f6e9e0fbb87ad88c07df7

    SHA512

    c072875f12bb88ec2bb7c2d5f2859baeb3b55f7b629b5ad3836e1015a58c958dbdcf43b5636cefb743a66695b79ca39db75146bae3c4fd035f615dde1df88d7d

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    e7bab3737d075510d93b0bf32a8d15ee

    SHA1

    13f52f22e8d0d14522bf07c98c9e4fa9e480bdbc

    SHA256

    a07c3bd7ab2cea8b504fc8dd6ca279cc7907be611f899f7c94269d1be91bd5ed

    SHA512

    bd298a16428c913b8f4579ffa3bae5ca65a92d000ba9899969186d6e5186e704f4ed8bf2ca7c73bf2678c86ff5f9fa3935f1fbdffb6ea0442a1eacdfd1700852