Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    60s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    09/07/2020, 17:15

General

  • Target

    270a1s0ssssd7da.exe

  • Size

    717KB

  • MD5

    131a072bc700105a2c0ab9af7be6bd02

  • SHA1

    43018d351cc5edd88dc6535113547e5fc1f02f60

  • SHA256

    b215d5e7cf39628497363e29d2dce0475e7180da848f7f6032d1187c78fd16bf

  • SHA512

    acfe259f69a3213a44f4cddd01397a336c951d984cd808d3e9c39486e3eec310b40d0baed24c1e089641920c1999e4b8d7888f408aebe5157d429ab4cd70748e

Score
10/10

Malware Config

Extracted

Path

\??\M:\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?HYABDFGI 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?HYABDFGI

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 5074 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies registry class 5 IoCs
  • Drops file in Program Files directory 9454 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\270a1s0ssssd7da.exe
    "C:\Users\Admin\AppData\Local\Temp\270a1s0ssssd7da.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\270a1s0ssssd7da.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:3944
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Modifies Installed Components in the registry
    • Modifies registry class
    PID:4000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3944-0-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/3944-2-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB