Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f79275288b...05.exe

windows7_x64

10

f79275288b...05.exe

windows10_x64

10

Resubmissions

05/09/2020, 15:54

200905-8whhad83m2 10

Analysis

  • max time kernel
    151s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    05/09/2020, 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe

  • Size

    588KB

  • MD5

    d4f2318beec5fb9fbe1c8e33472159a4

  • SHA1

    55f05db53254f8d129c3fabc91e1b46d93c81b92

  • SHA256

    f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05

  • SHA512

    b1b23730841240b051034c36d9e8c69400212ae51f43a3c9f8f4ac79c860a1d2d7af9727e1ff1303a87f9146b22fbad5091f2a1879925b1a01922b949379d1e9

Score
10/10
ransomwarespywarepersistence

Malware Config

Extracted

Path

C:\R3ADM3.txt

Ransom Note
The network is LOCKED. Do not try to use other software. For decryption tool write HERE: [email protected] [email protected] If you do not pay, we will publish private data on our news site.

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 32 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 6802 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 198 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe
    "C:\Users\Admin\AppData\Local\Temp\f79275288b3c6595220430984cc2a75576d8998b8f19e624c9fe6327e2602b05.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3906381B-D0F9-4B15-BB9D-C9BBD640133A}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3906381B-D0F9-4B15-BB9D-C9BBD640133A}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:420
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:2700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1468-0-0x0000000002730000-0x000000000275D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1468-1-0x0000000002760000-0x000000000278B000-memory.dmp

    Filesize

    172KB

    Download