Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
Resource
win10v2004-20220812-en
General
-
Target
f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
-
Size
180KB
-
MD5
13da87e3d84c4f19d4e073eccf5e29f2
-
SHA1
fa3ea8a1095144192599f8be96a3f5cd03a0e334
-
SHA256
f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b
-
SHA512
d5c9a09a41f9bd72ad01e1ad34b4d770eb5bda60fcc79c143818b106ec6921b9c99c6a46e9f726a81dd91a03fa7e59034a4395346a9de141b3f831d9efc19f25
-
SSDEEP
3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hJiaqR//1Wcjej5EqhnBWz9T6M33rb2p:lbXE9OiTGfhEClq9mqR//1Wcjej5Eqh3
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1436 WScript.exe 5 1436 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe File opened for modification C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe File opened for modification C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe File opened for modification C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 908 wrote to memory of 2044 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 27 PID 908 wrote to memory of 2044 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 27 PID 908 wrote to memory of 2044 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 27 PID 908 wrote to memory of 2044 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 27 PID 908 wrote to memory of 1904 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 29 PID 908 wrote to memory of 1904 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 29 PID 908 wrote to memory of 1904 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 29 PID 908 wrote to memory of 1904 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 29 PID 908 wrote to memory of 1436 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 30 PID 908 wrote to memory of 1436 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 30 PID 908 wrote to memory of 1436 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 30 PID 908 wrote to memory of 1436 908 f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe"C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat" "2⤵
- Drops file in Drivers directory
PID:2044
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs"2⤵
- Drops file in Drivers directory
PID:1904
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs"2⤵
- Blocklisted process makes network request
PID:1436
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ff084e6e7dc5c24496a80a202eab9d6d
SHA1e26087d935c9769392eb08f73ff60577b282a3fe
SHA2567ccb5d0a48b3162a2ad3a92baeac8d5de8231f78755d2a12ad9855e26664eb96
SHA512c7851f6e768e4481e1f4b3a8968712a0cc50f498c5e83b51d1ee0d51f1bfb3df37970e08c70fe288e04d36ce98f06057dacf7a1ac511153c3813d065de6f3a3c
-
Filesize
33B
MD5332d683ba552d67383ad13b6ce9ba772
SHA10017392ee6adb57e4b8f71e54bf24e606eaac773
SHA256d6d630ef2f0879dc1e12b44bdc2092c7b0d72df3c1cf48b3117b63cea98fe752
SHA512143fbb1abf9b0307f35343d08ff49ca0e5d1843836fa36033260d7a34a2081ffe9b13e97b2de5517648cbc38e4a509a53fa37bfe09952ed8873602780014292e
-
Filesize
916B
MD567e1d51993ed12432fd75fd20092a917
SHA1c08fbfb72aad721c0d6e2462b95f4791aaf254b7
SHA25651e3215c072e2736d8e0f0dfb214576ebe9be0d65fbad14da390b22bc1174398
SHA51235ce72b6de2e3cab059245529770e100527afcaada2344a88ba01a4e3ffca7dab372d88515a82fa4465961a6552460f9e6951fc377f6e4422881023f96ba19df
-
Filesize
659B
MD501f4fe67b1f826d41ec440ec43256da9
SHA14ee7038e44a2e8387b1f7247ecb2c50a9af040d7
SHA2564d06cd27e90aa2089d95d95e2277eae858861b084f8d066c5616121c79e861b5
SHA5121ca9f4eb2bd16de93561b094f58259fdd94d6b227a57d2a218919acf24da124f6974eba3ebb1d65ed4d1a4fe0a871661dbc227eac83836aed0678ae9bfb9d22d
-
Filesize
1KB
MD57f50b4c32bd25de2b4a756cde4f9bb9d
SHA10e20ddfe6c3272c895900217849eb5bc3597d387
SHA2560ca2cd50aae4247a9cbac2f5f3800812b8b7085485075d1aa09cdd17a7b9bc28
SHA512d38d0a90401ecded9d7e2c17480df2040ecab49d47d0b1ae3752a4d83e0c8670c6119b33cc895de5c46269592a5e3ddb897ccaa5967ad6e0f289e99a8ae762d4