Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    202s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11/02/2022, 06:48

General

  • Target

    6fcdd8a2702c1102362771912e75b76ffada9a30ad0683cdf489bac59fb3526b.exe

  • Size

    50KB

  • MD5

    5d71aa0ad68d1240aba04f1a9f3a6191

  • SHA1

    5b534dcf9ac7497db5f943adff3af31aae1fa48d

  • SHA256

    6fcdd8a2702c1102362771912e75b76ffada9a30ad0683cdf489bac59fb3526b

  • SHA512

    9e71182f59aee6a34ccdc8ef7e930f7fa25f019d45efe7dbb6d45cd50d3384b42d59c3b1e249f5da7727be616ae2381887b3ad917ef546c8997c2476cc94ed36

Malware Config

Extracted

Path

C:\HOW_TO_BACK_FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: ��������8D 06 7F 04 28 B3 4C 1B B4 2A E7 97 AA 4B 96 A0 FE 36 02 9C AB E7 13 AA 52 CC 19 A1 00 74 AE CC D7 E5 28 74 25 D9 06 3D DC 45 B4 3E 92 AE B2 3E 28 F7 9A 2E 7E 4D 18 D0 54 33 0C C2 2D E6 C5 90 1E D9 DE F7 5C 7F E8 D7 97 26 B1 0C 06 07 4E B4 9C 81 A3 74 60 E6 BD D7 1B 07 0A DE 73 1A B7 A3 EB 71 34 72 46 42 4B 03 6C 2B 4C 3E 11 C5 3E 7F 92 66 52 27 2D AA A5 A2 0E 43 AC E4 0C 39 DD 78 D1 26 87 69 43 F5 8B 9E 73 BD 4B 4E C4 0D 1E 31 1A 11 F0 F3 A5 DE EA 36 24 42 28 69 78 8E 5E 25 8F 23 54 B2 9D 90 A1 3A 42 05 B2 D3 1D A5 99 86 E1 A2 20 4E 8F 67 E4 E1 76 82 DF 6B F7 36 77 42 21 59 AD 98 87 D5 FF 6C 7C 30 57 78 48 87 97 76 12 1C FE 43 4C BC 5A E2 1C DB BB 3A 93 E0 FB 9F 19 EE 38 CC 88 8A 27 3B 87 99 E9 03 DB A6 C1 A2 6C ED 18 1D 04 6C 30 8B E2 40 BB 75 5D 9E BD 69 ������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fcdd8a2702c1102362771912e75b76ffada9a30ad0683cdf489bac59fb3526b.exe
    "C:\Users\Admin\AppData\Local\Temp\6fcdd8a2702c1102362771912e75b76ffada9a30ad0683cdf489bac59fb3526b.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:3940
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2988
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads