Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13/07/2020, 09:36

General

  • Target

    186vv53.exe

  • Size

    156KB

  • MD5

    e2a2cd3182abc1fa95d43c28647351b5

  • SHA1

    513453b5495268026cc5a2b59d115d46eaf51932

  • SHA256

    67e1a7ea77e26a39bedf12493f94a26b902fd557cdaca847c572f3ea85d20e0a

  • SHA512

    bf7dc8ed3036ea8fd7711fc0bdb8d3fbce694b17bd29c7657266c1509adb862258af29ccbf815da5692e4ccacc0d7faccf763f01f15300366fe513b236156b63

Malware Config

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?LLLLLLLL 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?LLLLLLLL

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Drops startup file 1 IoCs
  • Registers COM server for autorun 1 TTPs 24 IoCs
  • Drops file in Windows directory 45 IoCs
  • Drops file in Program Files directory 12087 IoCs
  • Suspicious use of AdjustPrivilegeToken 959 IoCs
  • Drops desktop.ini file(s) 41 IoCs
  • Modifies registry class 203 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Suspicious use of FindShellTrayWindow 69 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4530 IoCs
  • Suspicious use of SendNotifyMessage 79 IoCs
  • Loads dropped DLL 42 IoCs
  • Modifies service 2 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\186vv53.exe
    "C:\Users\Admin\AppData\Local\Temp\186vv53.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\186vv53.exe
      "{path}"
      2⤵
      • Drops startup file
      • Drops file in Program Files directory
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:912
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Drops desktop.ini file(s)
    • Modifies Installed Components in the registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Modifies service
    PID:1856
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Registers COM server for autorun
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • Modifies data under HKEY_USERS
    • Loads dropped DLL
    PID:332
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding D94DA5D75E8586C1D033568E22B6B1C1
      2⤵
      • Loads dropped DLL
      PID:112
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EDCEF8A4277425A034D05128A43D540E
      2⤵
      • Loads dropped DLL
      PID:1064
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding B25C96DBC8FC31CAADE9AD0671AAB217 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      PID:1228
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Modifies registry class
    • Modifies Installed Components in the registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1792
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Drops file in Windows directory
    • Modifies registry class
    • Modifies Installed Components in the registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Modifies service
    PID:1392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/332-64-0x0000000002DB0000-0x0000000002DB4000-memory.dmp

    Filesize

    16KB

  • memory/332-65-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

    Filesize

    8KB

  • memory/332-155-0x0000000004DE0000-0x0000000004E00000-memory.dmp

    Filesize

    128KB

  • memory/332-124-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

    Filesize

    8KB

  • memory/332-154-0x0000000005CE0000-0x0000000005CE4000-memory.dmp

    Filesize

    16KB

  • memory/332-147-0x0000000005CE0000-0x0000000005CE4000-memory.dmp

    Filesize

    16KB

  • memory/332-156-0x00000000012E0000-0x00000000012E4000-memory.dmp

    Filesize

    16KB

  • memory/332-57-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

    Filesize

    8KB

  • memory/912-4-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/912-2-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1392-54-0x00000000035F0000-0x00000000035F1000-memory.dmp

    Filesize

    4KB

  • memory/1392-157-0x00000000035F0000-0x00000000035F1000-memory.dmp

    Filesize

    4KB

  • memory/1392-55-0x0000000008E30000-0x0000000008E34000-memory.dmp

    Filesize

    16KB

  • memory/1392-56-0x0000000004630000-0x0000000004634000-memory.dmp

    Filesize

    16KB

  • memory/1792-51-0x0000000004EF0000-0x0000000004EF4000-memory.dmp

    Filesize

    16KB

  • memory/1792-50-0x00000000094B0000-0x00000000094B4000-memory.dmp

    Filesize

    16KB

  • memory/1792-47-0x0000000004200000-0x0000000004201000-memory.dmp

    Filesize

    4KB

  • memory/1856-10-0x00000000041F0000-0x00000000041F1000-memory.dmp

    Filesize

    4KB

  • memory/1856-24-0x0000000005450000-0x0000000005454000-memory.dmp

    Filesize

    16KB

  • memory/1856-23-0x0000000009D80000-0x0000000009D84000-memory.dmp

    Filesize

    16KB

  • memory/1856-5-0x0000000003A80000-0x0000000003A81000-memory.dmp

    Filesize

    4KB