Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    181s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 19:00

General

  • Target

    893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe

  • Size

    364KB

  • MD5

    72c482ad8052388343956fe092465e7c

  • SHA1

    6b301063661ce24464060938823554a4d2e411d4

  • SHA256

    893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321

  • SHA512

    6318d94e1adff12fa42fb05d3a46bef337577ec68ba4cf993012d422c5ae09f6d928b936346538c75891085253565caee30614fa18cbb76586a96fa0324b3f3d

  • SSDEEP

    6144:CbXE9OiTGfhEClq9ztilm4CNyG+4GgDNxDiRVBHePLBQsL:qU9XiuiitImy7wxQVB+TBQsL

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
    "C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\ololo\3t.jpg" /ForceBootstrapPaint3D
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ololo\olololo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\SysWOW64\regedit.exe
        regedit -s snapshot.reg
        3⤵
        • Runs .reg file with regedit
        PID:3544
    • C:\Program Files (x86)\ololo\pipipipipi.exe
      "C:\Program Files (x86)\ololo\pipipipipi.exe"
      2⤵
      • Executes dropped EXE
      PID:4960
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 668
        3⤵
        • Program crash
        PID:5016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
    1⤵
      PID:4940
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:4360
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1916

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\ololo\3t.jpg

      Filesize

      52KB

      MD5

      20fa9a18bcc7d0ac56752235bda71ff1

      SHA1

      bfc38d50c995dac42388c9681f31e3bffb12048c

      SHA256

      18a663b6b5cd7298af8ebe47c29d7c4f150b2864cfd5599723b82245f6846dcc

      SHA512

      ae0fb6491e2f0d7be6150189516afaa0225e82cb7809392667f3a3131e74270ba4e265c2878bb159ba1ff5656275eeb439fccbf5abe28ca49bee7294541778cb

    • C:\Program Files (x86)\ololo\olololo.bat

      Filesize

      56KB

      MD5

      e5af3dd46df77c166f55378507c5cbcb

      SHA1

      c2e5ff64d3e2fe0dcd2960164219f0031619653a

      SHA256

      3185d610a530e91e62fc95cd3c8b3df333d3254524417afc945b4c32b3e8d918

      SHA512

      0cab1d707b450588e579e099dad31f6c300d03b461ac12cfb8eabcc3ebe1d91859d2454cd82845d6ab233086397ac760fa7ebadcb3ad8871f32a6b96fcc42bec

    • C:\Program Files (x86)\ololo\p.txt

      Filesize

      2B

      MD5

      ac627ab1ccbdb62ec96e702f07f6425b

      SHA1

      9a79be611e0267e1d943da0737c6c51be67865a0

      SHA256

      8c1f1046219ddd216a023f792356ddf127fce372a72ec9b4cdac989ee5b0b455

      SHA512

      6781a9e05f5e327a138f3d09ce0211ce4f166d940a14b46373e44402a3f3754cab4109f62c50777cbc1e3c4f1b8e6234e8d0b41281571bf0e1bd480c12149830

    • C:\Program Files (x86)\ololo\pipipipipi.exe

      Filesize

      253KB

      MD5

      f4ab00e8243d57e5f8fe2cb1748b94d3

      SHA1

      f485809a23c8d262c06e7a5aa3784d3049baa42e

      SHA256

      86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

      SHA512

      6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

    • C:\Program Files (x86)\ololo\pipipipipi.exe

      Filesize

      253KB

      MD5

      f4ab00e8243d57e5f8fe2cb1748b94d3

      SHA1

      f485809a23c8d262c06e7a5aa3784d3049baa42e

      SHA256

      86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

      SHA512

      6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

    • memory/4360-139-0x00000236331A0000-0x00000236331B0000-memory.dmp

      Filesize

      64KB

    • memory/4360-140-0x0000023633D20000-0x0000023633D30000-memory.dmp

      Filesize

      64KB