Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:15 UTC

General

  • Target

    20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe

  • Size

    158KB

  • MD5

    f8c5780eafebecc7095930066b93ba9f

  • SHA1

    eedca839448d64723075015256f4cd7108159114

  • SHA256

    20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8

  • SHA512

    05ff458152cc28d14dcdc47e3cd3c17930ec80ed92b7bed33ffab3a082c5555af078af0c8bc8a5fd96ae3b9f8bd2948e5f9b55bf6a46b8fc756012fd4c7df16a

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6FHwHCyeGPhsJ7Nnp:PbXE9OiTGfhEClq9FKxwQiyVhsJhp

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
    "C:\Users\Admin\AppData\Local\Temp\20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Li\Es\plashutnaokoskei.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Li\Es\nunenadaeto.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:3392
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Li\Es\nachinatnam.vbs"
        3⤵
          PID:4540

    Network

    • flag-unknown
      DNS
      debiloidi.ru
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      debiloidi.ru
      IN A
    • flag-unknown
      DNS
      debiloidi.ru
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      debiloidi.ru
      IN A
    • flag-unknown
      DNS
      debiloidi.ru
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      debiloidi.ru
      IN A
    • flag-unknown
      DNS
      debiloidi.ru
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      debiloidi.ru
      IN A
    • flag-unknown
      DNS
      debiloidi.ru
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      debiloidi.ru
      IN A
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 13.69.239.72:443
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 8.8.8.8:53
      debiloidi.ru
      dns
      WScript.exe
      290 B
      5

      DNS Request

      debiloidi.ru

      DNS Request

      debiloidi.ru

      DNS Request

      debiloidi.ru

      DNS Request

      debiloidi.ru

      DNS Request

      debiloidi.ru

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Li\Es\bolshe_treh.me

      Filesize

      50B

      MD5

      2160e193d211ce21ca6021082c5076f4

      SHA1

      24d5ec3058279205719ed1e94b46c0f312c75c3d

      SHA256

      5f7970e19f891c00a9e367d81edb0491c1db193593ffdef9a407d370eada904c

      SHA512

      e024a2dd600be25becfdd244f3ef692e08c7d79a5ddd3466b6a6ed2e94600f3a0d6e1c04e93fb1880fc2e1067c4c9df48d7a76a770eec2eced5cc02447ab7845

    • C:\Program Files (x86)\Li\Es\kakunaso.ka

      Filesize

      27B

      MD5

      213c0742081a9007c9093a01760f9f8c

      SHA1

      df53bb518c732df777b5ce19fc7c02dcb2f9d81b

      SHA256

      9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

      SHA512

      55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    • C:\Program Files (x86)\Li\Es\nachinatnam.vbs

      Filesize

      166B

      MD5

      ea01d37f436f8848247fc1bf4bd1ff46

      SHA1

      03fe3c69f4608329049ef55eb5086df3cca20631

      SHA256

      498c4b3319da205d3cb1a9677357e9a430966658a1794f5a136f0faa3a44d7a2

      SHA512

      794fcef23060f9a46bc571e596fbfd78944f0781197c3e38bbf2c862a188c15f5bcb0309d8ef435cae451ba855cd6d25146ab742ebd909f46ff08fb85700e3d3

    • C:\Program Files (x86)\Li\Es\nunenadaeto.vbs

      Filesize

      1KB

      MD5

      b28841fec0460fe4dbcb213e1b5e9f59

      SHA1

      7b29d41e2ef65fc3f3b462f12dadef3e7e2d567a

      SHA256

      e35c70b22c9ae0a6c328857d632e8c70f8bcc9936b1a414ee044ec6412003f58

      SHA512

      6057ddeaded589bbb41feae4fdbf367adeea22f8834e20d54dc9991cdaf31915ed2cc815b8ab5cae4cb7dbcd9f6b6a726d12c51fcab1ddcab75cfcb061c7af71

    • C:\Program Files (x86)\Li\Es\plashutnaokoskei.bat

      Filesize

      1KB

      MD5

      2f99a0229b053e649becd8520cd8f870

      SHA1

      9b2c1d658d36bad704935ae9d7377b3208a79248

      SHA256

      d7e206e2e9f441461c361b6c6588e56a59858a973a0e3516dadb5c7e49fb5c3b

      SHA512

      c99f44f1d8cc26404e10c75431c861e2c758cc94e135611fd504785e51fef93c4996076ecc97dc98cb2014340bd9a9e5238e2e8cfe0a38fff077d28daa11584f

    • C:\Windows\System32\drivers\etc\hosts

      Filesize

      1KB

      MD5

      a90bee6f0a14eeb706358b6413641f15

      SHA1

      618cd8a88702dbeeaba7267ff3461e3c45ea8aff

      SHA256

      6f806cb10c520ab8461623e5c43dfd41fb2cbcee1fcc2a26b9d3e0ff4ea8a54b

      SHA512

      9f3195f9a5439ff9ff565312046bff733be4f3088beba80dcca5e8ce397716934470590b7760c5eaa22eba9aa64e3452cce6440638c06a857c6ce195707a72da

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.