Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    180KB

  • MD5

    02c11f1ec6c372847460c9afd76390dd

  • SHA1

    032ee4e4369c55489abc2971a8b2c295e368b780

  • SHA256

    4c9f213973c5144faafaad68cb94b809519752309208b998bb49621f02d8eabf

  • SHA512

    1910f7447c783469c0853629500de9335717cb19e083a1502bee7031c26a3738535bfd5d74b7dafa1034a6b8079fe0482aba165f40598b410c5a8a8304a0d2fa

  • SSDEEP

    3072:VBAp5XhKpN4eOyVTGfhEClj8jTk+0hvA8DN5TcKM4xoawC3Tw:wbXE9OiTGfhEClq92A8DP1Mvabk

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\yellowishfattyilobtained.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2328
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\conservationistsandother.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:3444
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Crudepalmilutures.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:1456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Crudepalmilutures.bat
    Filesize

    715B

    MD5

    03eba18623b9331f83578dec7930c482

    SHA1

    27a9f2ce863b7dd6e897e6daec56562433f1e0fd

    SHA256

    41f1a182339522ac984b1276a4fdc96acc48e5d16282fb8fb8f92fc956ffb9cb

    SHA512

    d8e00b2337739478521fe61e557beecbc02ecce7923ea435cf3432652f5cbe2c699751a2c0178c23c096797e9d067c19349290badbb9824a6ad8348c0ec01129

    Download Submit

  • C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Elaeioleiferandhemar.ipa
    Filesize

    71B

    MD5

    9b3268dccd0bdadd9b1befd0c76798a1

    SHA1

    cc47c18947b39a560f6501c8801bdd44b0bafa2f

    SHA256

    713453321d24315e307a5c1f93f56f5dbd2e01d056d7b94a2a27726c7b3abf34

    SHA512

    c2927d27eabd4822d4dd2fb9be06b714fc40a564b1896e44ae27f392654953c1c252bd2bb2d6467c821e739f8d2968c537b267a30197a7f82857f8a8f3c06e75

    Download Submit

  • C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\conservationistsandother.vbs
    Filesize

    500B

    MD5

    9fbb0531c4af46af59305936a6ec66be

    SHA1

    81ef1472a34f9c90738cfdb6cd8be71d6518de4e

    SHA256

    5c41e584453cfe13a7b3d2116fb0702a7e3431132ab275c9d2c3aab6319b421a

    SHA512

    491c5fc06c1468453c2e9998ddb9da467b1147ff035e679ce30a05b2511891d25cb0d856bb858dc1089523ce566c2a7bcf02acb03a00e2d1e02d7dc13f3ca849

    Download Submit

  • C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\yellowishfattyilobtained.vbs
    Filesize

    645B

    MD5

    ef69ef221195bc42cc1ccf574c7e713f

    SHA1

    d0d6fe3ef8060c5a7911029e32a052218d1ea2a5

    SHA256

    b5a51b1c65448becfc32b59be5ea7e885a085fe4cfad3c1a9494a6af16417a8e

    SHA512

    f0e2df84bd3e4e7db8c5e22d374d97b727311f7295504cba2353e1844e9a7216eb7165b1b2c824a7663d48f108491de51fa6a74514fafd50af940fe8099953e8

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    f171786ec060c21808b83e91b5a748ba

    SHA1

    49627304d348ff56bf5c790696297e76a2240e28

    SHA256

    ad3360381bb13f1918e7afd07650f1644a5ce8a222633dfbf272a1e76417f162

    SHA512

    c292ada6854542a6bba165b4362b81008c5b8035e60bab2c3989db7c8032139f91296977f6e8e37c70e73436b1fe653f1dbba2398ead88fadb795f10a1f0716a

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    b39b3c6e849da2757406331d12729746

    SHA1

    3974776133b06047b01a16c818024e4d363ef1df

    SHA256

    8f7a294349bd802db8991a3246f0d3153ff993e593249398f0b1342f97a49487

    SHA512

    b995db81214a871c92cac59a0e4a569be016c35bd6a571d7f1bbbcc0535ffb99f480e04fdff8af00bb7a172efe104d138c6153c2b20d8833c11209effb161e58

    Download Submit

  • memory/4536-40-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download