Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
969s -
max time network
1200s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2023, 00:53
Static task
static1
Behavioral task
behavioral1
Sample
A2-Cryptor.cmd
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
A2-Cryptor.cmd
Resource
win10v2004-20230220-en
General
-
Target
A2-Cryptor.cmd
-
Size
32KB
-
MD5
e031c713842d1db79d96101f8c0cf523
-
SHA1
f97ce721472dd931998b272eeeec4e31cfedbfa5
-
SHA256
30c4ed4509726173dfbb176a35e6cbc70b97cc7cad46c615e8bf89ad653b9ce6
-
SHA512
a97a688c0663d2937377eb379da4e5cbdea9b28d09611a634b66cfb251091890722d160b44154fe073c4a5eb89b5dee27f06e17b0b3aea96b2bab8ef03d5360e
-
SSDEEP
768:5yZE+8xnU25JWrmk2g9Ta1wCvKinXKCuY:5tU25J+a1hvhaCP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\E: cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 5 IoCs
pid Process 3436 timeout.exe 688 timeout.exe 4500 timeout.exe 2600 timeout.exe 1452 timeout.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop wscript.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2136 2036 cmd.exe 86 PID 2036 wrote to memory of 2136 2036 cmd.exe 86 PID 2036 wrote to memory of 3436 2036 cmd.exe 87 PID 2036 wrote to memory of 3436 2036 cmd.exe 87 PID 2036 wrote to memory of 688 2036 cmd.exe 88 PID 2036 wrote to memory of 688 2036 cmd.exe 88 PID 2036 wrote to memory of 4500 2036 cmd.exe 89 PID 2036 wrote to memory of 4500 2036 cmd.exe 89 PID 2036 wrote to memory of 2600 2036 cmd.exe 90 PID 2036 wrote to memory of 2600 2036 cmd.exe 90 PID 2036 wrote to memory of 4596 2036 cmd.exe 91 PID 2036 wrote to memory of 4596 2036 cmd.exe 91 PID 2036 wrote to memory of 916 2036 cmd.exe 93 PID 2036 wrote to memory of 916 2036 cmd.exe 93 PID 2036 wrote to memory of 1768 2036 cmd.exe 92 PID 2036 wrote to memory of 1768 2036 cmd.exe 92 PID 2036 wrote to memory of 1452 2036 cmd.exe 94 PID 2036 wrote to memory of 1452 2036 cmd.exe 94 PID 4596 wrote to memory of 1152 4596 wscript.exe 96 PID 4596 wrote to memory of 1152 4596 wscript.exe 96 PID 1768 wrote to memory of 4936 1768 wscript.exe 95 PID 1768 wrote to memory of 4936 1768 wscript.exe 95 PID 916 wrote to memory of 1480 916 wscript.exe 97 PID 916 wrote to memory of 1480 916 wscript.exe 97 PID 2036 wrote to memory of 3648 2036 cmd.exe 98 PID 2036 wrote to memory of 3648 2036 cmd.exe 98
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.cmd"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\certutil.execertutil -decode "Image.bin" "18177_5476.jpeg"2⤵PID:2136
-
-
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:3436
-
-
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:688
-
-
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:4500
-
-
C:\Windows\system32\timeout.exetimeout /t 42⤵
- Delays execution with timeout.exe
PID:2600
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"2⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters3⤵PID:1152
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"2⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters3⤵PID:4936
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"2⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters3⤵PID:1480
-
-
-
C:\Windows\system32\timeout.exetimeout /t 32⤵
- Delays execution with timeout.exe
PID:1452
-
-
C:\Windows\system32\mode.comMODE CON: COLS=100 LINES=252⤵PID:3648
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384B
MD5b7a7938c66a80e1340076bd7a77dadc7
SHA1f2933f77a511a16a4845fd1e491c0566e518d51d
SHA256b5c95334085208b47c71a2a9d0fdadb7a74174e25a9ef2f3ef93620fa2e08946
SHA5123e68154dc2fc2d31be228e2dd9180ba848b80ec6b873abe457e545d0808d988054892ca632bf293d3ccb0286ef7de3f40dc2c3931f77991417ec184fa5260f51
-
Filesize
21KB
MD5f6f72da7cd731682ff5442ba541457e2
SHA160bddfc609fad2f80c0688905e795e51003d9433
SHA25600a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1
SHA5122a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d