Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    969s
  • max time network
    1200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 00:53

General

  • Target

    A2-Cryptor.cmd

  • Size

    32KB

  • MD5

    e031c713842d1db79d96101f8c0cf523

  • SHA1

    f97ce721472dd931998b272eeeec4e31cfedbfa5

  • SHA256

    30c4ed4509726173dfbb176a35e6cbc70b97cc7cad46c615e8bf89ad653b9ce6

  • SHA512

    a97a688c0663d2937377eb379da4e5cbdea9b28d09611a634b66cfb251091890722d160b44154fe073c4a5eb89b5dee27f06e17b0b3aea96b2bab8ef03d5360e

  • SSDEEP

    768:5yZE+8xnU25JWrmk2g9Ta1wCvKinXKCuY:5tU25J+a1hvhaCP

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 5 IoCs
  • Modifies Control Panel 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.cmd"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "18177_5476.jpeg"
      2⤵
        PID:2136
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:3436
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:688
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:4500
      • C:\Windows\system32\timeout.exe
        timeout /t 4
        2⤵
        • Delays execution with timeout.exe
        PID:2600
      • C:\Windows\system32\wscript.exe
        wscript "0.vbs"
        2⤵
        • Checks computer location settings
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\System32\RUNDLL32.EXE
          "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
          3⤵
            PID:1152
        • C:\Windows\system32\wscript.exe
          wscript "0.vbs"
          2⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\System32\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            3⤵
              PID:4936
          • C:\Windows\system32\wscript.exe
            wscript "0.vbs"
            2⤵
            • Checks computer location settings
            • Sets desktop wallpaper using registry
            • Modifies Control Panel
            • Suspicious use of WriteProcessMemory
            PID:916
            • C:\Windows\System32\RUNDLL32.EXE
              "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
              3⤵
                PID:1480
            • C:\Windows\system32\timeout.exe
              timeout /t 3
              2⤵
              • Delays execution with timeout.exe
              PID:1452
            • C:\Windows\system32\mode.com
              MODE CON: COLS=100 LINES=25
              2⤵
                PID:3648

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\0.vbs

              Filesize

              384B

              MD5

              b7a7938c66a80e1340076bd7a77dadc7

              SHA1

              f2933f77a511a16a4845fd1e491c0566e518d51d

              SHA256

              b5c95334085208b47c71a2a9d0fdadb7a74174e25a9ef2f3ef93620fa2e08946

              SHA512

              3e68154dc2fc2d31be228e2dd9180ba848b80ec6b873abe457e545d0808d988054892ca632bf293d3ccb0286ef7de3f40dc2c3931f77991417ec184fa5260f51

            • C:\Users\Admin\AppData\Local\Temp\Image.bin

              Filesize

              21KB

              MD5

              f6f72da7cd731682ff5442ba541457e2

              SHA1

              60bddfc609fad2f80c0688905e795e51003d9433

              SHA256

              00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

              SHA512

              2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d