Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
16/09/2022, 20:30
General
-
Target
fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe
-
Size
305KB
-
MD5
a7131ea3c8092b156ca4a085cfaae261
-
SHA1
de143d8b3ab3770323b952304604d269721be992
-
SHA256
fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a
-
SHA512
3ea7ee70b44411dc174f94dba563efadd408f06ae2b6bc72ce277edf92be867a16b5b20c2630d3d3738fd774d7a833f8086b88ba61dd31adeb6837e1783acd12
-
SSDEEP
3072:OyhXtgjCIS23LqVaMKmJRw6dbPO2kW5P40UdYk0KjPgrTHM/h3BsxkgaBChU/pZn:jFtYLvMEuO2Ro90AorTHnigabwVf
Malware Config
Extracted
djvu
http://acacaca.org/lancer/get.php
-
extension
.eebn
-
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0561Jhyjd
Extracted
raccoon
7394a7fc5da9794209d8b0503ca4abf4
http://94.131.106.59
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 10 IoCs
-
Detects Smokeloader packer 1 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 5 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe"C:\Users\Admin\AppData\Local\Temp\fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\17DD.exeC:\Users\Admin\AppData\Local\Temp\17DD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17DD.exeC:\Users\Admin\AppData\Local\Temp\17DD.exe2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e2c5d4ca-c41e-4649-9668-3f9523b7cbb7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\17DD.exe"C:\Users\Admin\AppData\Local\Temp\17DD.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17DD.exe"C:\Users\Admin\AppData\Local\Temp\17DD.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build2.exe"C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build2.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build3.exe"C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- DcRat
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1994.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1994.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\1A8F.exeC:\Users\Admin\AppData\Local\Temp\1A8F.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- DcRat
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ea3ead1b160922fb25b1b9d766a56fa5
SHA19f61cb0a5a80fa5ba776f71fed4728d002d3aca1
SHA2564080213fba647d43c0ac02710ac7b631c23f8f791930016045cda9aeec1b6867
SHA512ec817bdc668bff4c266ca8b6a6c4068251926714262a95f9ac7f7565e2d66a26371589182d0ba1d03fa482d99430b865cb7eb24becf92b72e45f20b26a215c15
-
Filesize
1KB
MD5e9e482bf825221326b7c080ef52e5036
SHA167244c170dad567630298f89364a5e9626e2517a
SHA25660843d5086f10e833ca98696967f1a39ea04a2ffee6d87679b5803092b9cfa71
SHA512c7a5fd63c0faa2a5cd8be90c7dcf10d8dd564964dc4b8ab4fa1a7a188fa89094563f595c94f4ea133582cfbcf9cc90cb74bd273924b7fa5eadae868bced51440
-
Filesize
488B
MD5af3e4fbac91607f14276d2e1d34b7395
SHA1c8dce8a820136a371a75427d4aa092724c01b7dd
SHA256285cc5c88f9d89ebb7a56d86618eeeb7d4e0fe1e83d2eccb9a4b345031b7c648
SHA512a5a8f7e05bed8414bae017657bc27d079ac64697459c018e045b39fb7f373e2547687fec5ef849e2f14f9d2e474c7c4b3467458d95675756f9e4ff6f2eeedc32
-
Filesize
482B
MD570582d9392422af94699b8e4e4a80c71
SHA15a19076946435f06e9e2a4026d65fda20758df72
SHA256776523b52e1c91d6ab62d411db82aded5e2680c96844eeb747cb228953669c44
SHA5124c9934a6e10e5d6025eced13f43b5238927439f895f8a070006fc60362c15178b98e523074e1dc854486f2d0a5934c976b491b84b7d2e61833de0908ac543aa7
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
229KB
MD5a2370ca56445054a0985a0972e0040ca
SHA1823a2bd23f749a26ce4743279d5d85129830f2fc
SHA256ae769b328bb61b642ba1177d138f8732be2e27fd91af5e226dc99b88bb35bdcb
SHA512666a9cb47607dd9c0c2928a83ea830939371cee0cfc21ec6964acb26c14268eef37e9417740f5ce6d86312d301532c989b2b576086182e37c2fd1db6a2e71728
-
Filesize
229KB
MD5a2370ca56445054a0985a0972e0040ca
SHA1823a2bd23f749a26ce4743279d5d85129830f2fc
SHA256ae769b328bb61b642ba1177d138f8732be2e27fd91af5e226dc99b88bb35bdcb
SHA512666a9cb47607dd9c0c2928a83ea830939371cee0cfc21ec6964acb26c14268eef37e9417740f5ce6d86312d301532c989b2b576086182e37c2fd1db6a2e71728
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
68KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
36KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
216KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
580KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
672KB
-
Filesize
1.8MB
-
Filesize
1.2MB
-
Filesize
756KB
-
Filesize
136KB
-
Filesize
256KB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
428KB
-
Filesize
468KB
-
Filesize
428KB