Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c053df8429...ae.exe

windows7_x64

10

c053df8429...ae.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24/05/2022, 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe

  • Size

    2.7MB

  • MD5

    235c65d98cae9133afd6357bef878061

  • SHA1

    cf5c6c1ce68dcd06152b29c763711ebcb25f45b0

  • SHA256

    c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae

  • SHA512

    e836e2a38ed2e01b4d391be9b5dabcdc52bee2d70dc64c495aaa541a5f53f92f93c125123aa734d56cd141dba71695e256b236659a058d47eb357c586a3ef354

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Unlock_All_Files.txt

Ransom Note
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Life <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : CEXBQIGGAKJPKMFB Contact : [email protected] or https://t.me/filedecrypt002 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You Can Learn How to Buy Bitcoin From This links Below https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins https://www.bestbitcoinexchange.io >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
URLs

https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view

https://t.me/filedecrypt002

https://www.bestbitcoinexchange.io

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
    "C:\Users\Admin\AppData\Local\Temp\c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlservr.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlservr.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlceip.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlceip.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlwriter.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlwriter.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:676
    • C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Admin\AppData /s /q"
      2⤵
        PID:1036
      • C:\Windows\system32\cmd.exe
        cmd /C "rmdir C:\Users\Default\AppData /s /q"
        2⤵
          PID:596
        • C:\Windows\system32\cmd.exe
          cmd /C "rmdir C:\Users\Public\AppData /s /q"
          2⤵
            PID:1500
          • C:\Windows\system32\cmd.exe
            cmd /C "attrib +h +s Encrypt.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1200
            • C:\Windows\system32\attrib.exe
              attrib +h +s Encrypt.exe
              3⤵
              • Views/modifies file attributes
              PID:1476
          • C:\Windows\system32\cmd.exe
            cmd /C "net stop MSSQL$SQLEXPRESS"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Windows\system32\net.exe
              net stop MSSQL$SQLEXPRESS
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:524
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
                4⤵
                  PID:1816
            • C:\Windows\system32\cmd.exe
              cmd /C "rmdir C:\$Recycle.Bin /s /q"
              2⤵
                PID:1064

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads