Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 01:53

General

  • Target

    f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe

  • Size

    180KB

  • MD5

    13da87e3d84c4f19d4e073eccf5e29f2

  • SHA1

    fa3ea8a1095144192599f8be96a3f5cd03a0e334

  • SHA256

    f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b

  • SHA512

    d5c9a09a41f9bd72ad01e1ad34b4d770eb5bda60fcc79c143818b106ec6921b9c99c6a46e9f726a81dd91a03fa7e59034a4395346a9de141b3f831d9efc19f25

  • SSDEEP

    3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hJiaqR//1Wcjej5EqhnBWz9T6M33rb2p:lbXE9OiTGfhEClq9mqR//1Wcjej5Eqh3

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
    "C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:1388
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:3016
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat

    Filesize

    2KB

    MD5

    ff084e6e7dc5c24496a80a202eab9d6d

    SHA1

    e26087d935c9769392eb08f73ff60577b282a3fe

    SHA256

    7ccb5d0a48b3162a2ad3a92baeac8d5de8231f78755d2a12ad9855e26664eb96

    SHA512

    c7851f6e768e4481e1f4b3a8968712a0cc50f498c5e83b51d1ee0d51f1bfb3df37970e08c70fe288e04d36ce98f06057dacf7a1ac511153c3813d065de6f3a3c

  • C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud

    Filesize

    33B

    MD5

    332d683ba552d67383ad13b6ce9ba772

    SHA1

    0017392ee6adb57e4b8f71e54bf24e606eaac773

    SHA256

    d6d630ef2f0879dc1e12b44bdc2092c7b0d72df3c1cf48b3117b63cea98fe752

    SHA512

    143fbb1abf9b0307f35343d08ff49ca0e5d1843836fa36033260d7a34a2081ffe9b13e97b2de5517648cbc38e4a509a53fa37bfe09952ed8873602780014292e

  • C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs

    Filesize

    916B

    MD5

    67e1d51993ed12432fd75fd20092a917

    SHA1

    c08fbfb72aad721c0d6e2462b95f4791aaf254b7

    SHA256

    51e3215c072e2736d8e0f0dfb214576ebe9be0d65fbad14da390b22bc1174398

    SHA512

    35ce72b6de2e3cab059245529770e100527afcaada2344a88ba01a4e3ffca7dab372d88515a82fa4465961a6552460f9e6951fc377f6e4422881023f96ba19df

  • C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs

    Filesize

    659B

    MD5

    01f4fe67b1f826d41ec440ec43256da9

    SHA1

    4ee7038e44a2e8387b1f7247ecb2c50a9af040d7

    SHA256

    4d06cd27e90aa2089d95d95e2277eae858861b084f8d066c5616121c79e861b5

    SHA512

    1ca9f4eb2bd16de93561b094f58259fdd94d6b227a57d2a218919acf24da124f6974eba3ebb1d65ed4d1a4fe0a871661dbc227eac83836aed0678ae9bfb9d22d

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    7f50b4c32bd25de2b4a756cde4f9bb9d

    SHA1

    0e20ddfe6c3272c895900217849eb5bc3597d387

    SHA256

    0ca2cd50aae4247a9cbac2f5f3800812b8b7085485075d1aa09cdd17a7b9bc28

    SHA512

    d38d0a90401ecded9d7e2c17480df2040ecab49d47d0b1ae3752a4d83e0c8670c6119b33cc895de5c46269592a5e3ddb897ccaa5967ad6e0f289e99a8ae762d4