Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05/02/2022, 21:26

General

  • Target

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe

  • Size

    112KB

  • MD5

    65977152d62265c0f46751874bd45767

  • SHA1

    3b6aaf8ab4eb82062780202248aad45b916376ab

  • SHA256

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

  • SHA512

    c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/0C1C-257D-7431-0006-422B 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/0C1C-257D-7431-0006-422B

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Adds policy Run key to start application 2 TTPs 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe
    "C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe
      "C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe
        "C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe" -watchdog
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe
        "C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe" -stat 126
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1964
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:856
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1548
          • C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe
            "C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe" -stat 126
            3⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Adds Run key to start application
            • Modifies Control Panel
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "UserAccountControlSettings.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{E7B8EC7A-1BC7-9DCC-B44A-6960964FFB54}\UserAccountControlSettings.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:708
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "UserAccountControlSettings.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2024
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:560
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1660
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {B828715E-E055-47A6-A041-3A3B11270774} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
          1⤵
            PID:1816

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/848-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

            Filesize

            8KB

          • memory/1964-67-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

            Filesize

            8KB