Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
11/03/2024, 15:48 UTC
General
-
Target
PHOTO-DEVOCHKA.exe
-
Size
149KB
-
MD5
ff086d0d59b161c9b6c042e902323622
-
SHA1
a5533ae498366582e9b08cc28821ffd1e00f92a7
-
SHA256
abdc11a0da5cdc6e005a8fa09cf6398ec337cf7801cf5231e50e987345812ea3
-
SHA512
c779d69cad19597bf9a619d6f4599d7df4219d77e6144ee694c5076db56013e34781a691d93e6caac15a861b404bc1c15fdce8e70cb02b90ed7a0cc7015738a6
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hieh/zn7BWR:AbXE9OiTGfhEClq9Mh/zn4R
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"3⤵
- Blocklisted process makes network request
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"2⤵
- Drops file in Drivers directory
-
Network
- No results found
-
64.62.191.222:4321 -
64.62.191.222:4321
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263B
MD58affe5f3cc3622a72b17ba1861da99af
SHA1f2b7ad55d7e0168ae48f6e736560eccbf2a8b955
SHA2562fa050fa8d290bd8e82a5eb68acdf60b7a69c2cd6ad84a48db4d4ec2330bc742
SHA512f83cb16172fa07b340f5e36a21d442f0725006293a931b5861c44e43ac84351b40838b40937c3f1784a6e292c40f91df5c0e2ce3d3e6894757e1469b225c25d8
-
Filesize
48B
MD57215ed14e21d41517551593a906dfa9e
SHA1572ec6424f46b19e5b1a0ebcb58df8efadaa37aa
SHA256248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6
SHA512c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5
-
Filesize
3KB
MD5301b2cca659b0b0e9ce48260d2cf0c16
SHA1c1fd6cd76c4db862aa9550b2300f8fe960906f2b
SHA25635e4e941f3273ecca02b2c808d094eb0e165cd0d14433f1841990d6a93257f35
SHA5121065d922ac195777c427e07c06a70db43b10ba096c3d2919b8dbab0b04b11b581a1c2b9081566d8e01af031ca78f26ff1795c5544b70ed6fbe6c7d266133acbf
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
810B
MD5df166046c6da51ce4a90b0b7db6ef5a0
SHA114d786fe25a3905b1743973c7f9989a379f1433f
SHA256ba65b8fdade56e9d32701aeaeb737ecca78a55917084e8a0f55088e55ba4fa7c
SHA5122838a7c2ed28c362b7af6548d7437cd7a77c8b4b6f010305faeee37b7aa592e34a1b6e79cc4f3de0c5539f30dc6263f74dd827fbede41a8f1774d8f732dfb19d
-
Filesize
1KB
MD544ccd2e0f82c735fbef30c341d6bfc10
SHA18cc305f7f8fff401380175ae0cc7d0df99b83373
SHA256d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3
SHA5128627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07
-
Filesize
136KB