Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01/05/2022, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
illegal and unillegal/dead.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral2
Sample
decrypt-decrypters/Decrypter.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypt-decrypters/privateKey.xml
Resource
win10v2004-20220414-en
Behavioral task
behavioral4
Sample
decrypt-decrypters/publicKey.xml
Resource
win10v2004-20220414-en
General
-
Target
decrypt-decrypters/Decrypter.exe
-
Size
218KB
-
MD5
97f3854d27d9f5d8f9b15818237894d5
-
SHA1
e608608d59708ef58102a3938d9117fa864942d9
-
SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2
-
SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696
Malware Config
Signatures
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\StepOpen.tiff Decrypter.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Decrypter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Decrypter.exe File opened for modification C:\Users\Public\Documents\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Links\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Decrypter.exe File opened for modification C:\Users\Public\Music\desktop.ini Decrypter.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Music\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Decrypter.exe File opened for modification C:\Users\Public\Videos\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Decrypter.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Decrypter.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpdut5lqr.jpg" Decrypter.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe 804 Decrypter.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 804 Decrypter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypt-decrypters\Decrypter.exe"C:\Users\Admin\AppData\Local\Temp\decrypt-decrypters\Decrypter.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804