Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

8e4fa69d87...ab.exe

windows7_x64

10

8e4fa69d87...ab.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    24/02/2022, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

  • Size

    161KB

  • MD5

    8e4fa69d87a6d3c6d7e6c699b25cc2ab

  • SHA1

    e5981cfe6ded85b01b10f4b2a5fc2f8537a63b31

  • SHA256

    6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18

  • SHA512

    fd6ad515c7227a8525e3f3c7b390c547e86b43624424acb978e14d0a7dfa6a90f3cf95518a3b97509f36aed1eb3173dae9d31b6f23990abc232c9dcfb1245994

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\Program Files\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 9B69331CE574 �

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
    "C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2604
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:788
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads