Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    44s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    180KB

  • MD5

    382a92ffb40d6f916369283221203e31

  • SHA1

    d6917ccf8618913dd50af79c4faf0de9722b7fb1

  • SHA256

    db42602675e782803c0105228bceb8d2b99204c280eaf43956484234e0319798

  • SHA512

    16983e0bae282d77b6e14c1583662776f02d6c232543cfe8c22be0f14dc83f968657e8dc5f0cc7dcc8711892384c046674c60d6daa01b82e17da2d8a55544192

  • SSDEEP

    3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0h9n+sTMOHQ8nHy:WbXE9OiTGfhEClq9oMOHq

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\na ulitsah\take me to the\333\why_do_you_cry_willy.bat" "
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      PID:2948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulitsah\take me to the\poztfiz\____000000_hello__.vbs"
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      PID:2988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulitsah\take me to the\poztfiz\_hello______22222_______.vbs"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na ulitsah\take me to the\333\why_do_you_cry_willy.bat
    Filesize

    1KB

    MD5

    c85bb296e5c02a4c62925eb75a13a2f2

    SHA1

    701eefcb5e6b1679759c384695de1be4b56158b4

    SHA256

    b331a5e63a19a8e8770b67daa352cf6bee8c0154e0a4eadebae90bd4610a58d8

    SHA512

    e43dc44a6bc269ea0e42da966f3cd859816967c3987afd541b025ab925cdf6c46fce3a548d9dcf5efaafeed976521e3646b0cb8ef6b4f0799caec9992888d633

    Download Submit

  • C:\Program Files (x86)\na ulitsah\take me to the\poztfiz\____000000_hello__.vbs
    Filesize

    844B

    MD5

    81e2464c239108f8742017fdf4d08fb0

    SHA1

    b3a6c6d246116ed0ee6cdedf58c4b154c0d612f8

    SHA256

    393d8e256c69be08ead7cc297ccc7af2e75fafc7eb07346538256c04094b49dc

    SHA512

    d7305a8438b99f076ab48e30ab89b3adb8a6e67dcc574fe2579aa8f7545a16ed65276714ec8acd97693741ae2c0974efd647db14c18a2e6b5774a6c08b4ac48a

    Download Submit

  • C:\Program Files (x86)\na ulitsah\take me to the\poztfiz\_hello______22222_______.vbs
    Filesize

    617B

    MD5

    f0ab6e65160a825aacb7644bc7a68f96

    SHA1

    0f4fa59ea30f24c4062fa3a64191bcc87486a8f1

    SHA256

    f7c0fe09ebfa434e0a8ddbdcc329c202462c40a1e25925303725592a511d8f75

    SHA512

    846c0a565f485127ba65161fe5212edafe9648cd782538057bbb6b2c78a8ae9d7995cb0c8705cc0e11cdb4d92efbece82a735cd825bea48eb53027869476baae

    Download Submit

  • C:\Program Files (x86)\na ulitsah\take me to the\poztfiz\popizdota.dot
    Filesize

    34B

    MD5

    aa5511a167a67e429a9fdf3ac25bce0e

    SHA1

    8ac961be922cdc3314ed342e809d68637e9ea1f2

    SHA256

    bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

    SHA512

    736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    25ee27baa31c59fdf6cf5d18955ef985

    SHA1

    51d4725afa6d997cb7347c60a7d17485a8fb2ea7

    SHA256

    75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

    SHA512

    8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

    Download Submit

  • memory/1768-33-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download