Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 01:37

General

  • Target

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe

  • Size

    388KB

  • MD5

    678e01aacc99779c502e9473876548e0

  • SHA1

    cd9e404b37a2029e88f904b98f966b7e1284ff70

  • SHA256

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

  • SHA512

    9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

  • SSDEEP

    6144:fda8uOhcMWhqVln4xKDW9KobFEFLOSO6/NvsHJxc00d+DzRLITiNs:Va8ivhqVl+KC9LpEQSO62DzRLm

Score
10/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP Follow the instructions on the server.
Wallets

15fVgKDf3MmS6FzNzRztWWzMcWPXatpVgP

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
    "C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
      C:\Users\Admin\AppData\Local\Temp\0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Roaming\fjuvlhw.exe
        C:\Users\Admin\AppData\Roaming\fjuvlhw.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Users\Admin\AppData\Roaming\fjuvlhw.exe
          C:\Users\Admin\AppData\Roaming\fjuvlhw.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1720
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1096
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0A1688~1.EXE >> NUL
        3⤵
        • Deletes itself
        PID:2036
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fjuvlhw.exe

    Filesize

    388KB

    MD5

    678e01aacc99779c502e9473876548e0

    SHA1

    cd9e404b37a2029e88f904b98f966b7e1284ff70

    SHA256

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

    SHA512

    9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

  • C:\Users\Admin\AppData\Roaming\fjuvlhw.exe

    Filesize

    388KB

    MD5

    678e01aacc99779c502e9473876548e0

    SHA1

    cd9e404b37a2029e88f904b98f966b7e1284ff70

    SHA256

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

    SHA512

    9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

  • C:\Users\Admin\AppData\Roaming\fjuvlhw.exe

    Filesize

    388KB

    MD5

    678e01aacc99779c502e9473876548e0

    SHA1

    cd9e404b37a2029e88f904b98f966b7e1284ff70

    SHA256

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

    SHA512

    9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

  • \Users\Admin\AppData\Roaming\fjuvlhw.exe

    Filesize

    388KB

    MD5

    678e01aacc99779c502e9473876548e0

    SHA1

    cd9e404b37a2029e88f904b98f966b7e1284ff70

    SHA256

    0a1688dd2444cbec7c67fae7d0d2745d4b9282e7788623df64b5507f1f7f1b41

    SHA512

    9e37f00ca44f966e3b5c47cd0cdf09cbd960ef961baca64b7fce9a70882e54151c5ddb5d755aef3bf1e3a16a804d90cc4398362440b64ee034a7a1e470b151c4

  • memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

    Filesize

    8KB

  • memory/1664-62-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-90-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-68-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-69-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-64-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-55-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-60-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-56-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1664-58-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/1720-92-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB