Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 04:23

General

  • Target

    Trojan-Ransom.Win32.Blocker.exe

  • Size

    862KB

  • MD5

    69d4343e34285f48ed7d1b02609b6423

  • SHA1

    f55b274b8451ef2a943020bb86f6774faa3cd116

  • SHA256

    dc1725015e18e586613feed7f94457a14b40c1e3ca87d78543a38f3ab58dfde5

  • SHA512

    cfa6af282cba559fdf0cff95e80c17ef5f8306f1e8dc94aaa693cb05047a83a47d0b4ce3960a76d798349d77fb3f6e93455c998e41c6c41e6f3ea70ba8f6e7f9

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1320
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:2356
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3036

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      2KB

      MD5

      0774dce1dca53ce5c4f06846dc34a01a

      SHA1

      b66a92ae7ae2abc81921ed83fea0886c908b14b3

      SHA256

      653df1e7ee6eb78011d131d41eebad55a6b11e14073ac204587960c404d2300f

      SHA512

      43582562e20238142d801d97dee6efff1213d38506dc8e21001517d799e52c5157a0ce814e29045fb267200878e964f04d05bb209ac738d510b48ebd689b82e2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      0ef90204485649be625ea2be1b9018fb

      SHA1

      28fbc0852140ec51d0c097a4962a160afa4d754b

      SHA256

      c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

      SHA512

      b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      be2b5211e42eb9225d21358e7eb3f78f

      SHA1

      35b1ab3adde0a5f3cad8862897f1ea7a86946349

      SHA256

      3185aa19aba785efc822b72e3f2959e07343c1935f8f2b46a4438060763c9111

      SHA512

      9b20c8dceb160aad20de302c2589b86fae64f7842b370812fd8baba3e8154a357c0a1c282ea95fbc5406ab093593637929edaf83c42e19c7b6a011d286b06b6a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

      Filesize

      472B

      MD5

      348f6c5d513404b3c3c6c27f3de2dfdf

      SHA1

      acb18df838bf8ddb2667e944a82b2930bdecfad8

      SHA256

      a46606d9bc72c7330fff6849e1caa6c773c79d66236549408380362d28d892a1

      SHA512

      79dd389bc9a05312290bf69386faa56fd5a6515a0efd7685249831732f6a7c948ac41f288e038a65929e1b56f8fc615db12b7d3955a5e3279ebc8895fd150cab

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      488B

      MD5

      fbccc8658fcbff68b8fd06c547e42084

      SHA1

      e3751bc406d0ea07a4d70508515d9c22e0a922c1

      SHA256

      5af40e6a1108eec853c45c31a9151d60e04104d5aa8e882a31d4ee1acab3f9fc

      SHA512

      eb8477b2498f19d6ef62371200dc720331d452fcdaab4e682c8d6091152e2fc216a31b94d53551db204594ad12d936e6c8e28e242fe88b3384b1290515d7cd9d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      434B

      MD5

      7501d91db8f4e655a84d4da1c14938cf

      SHA1

      3a90f679efef2b54ae721b0561cef27dc38b18ad

      SHA256

      07b32ba5bb461c2cfb163e565276c1b2047a30a03452641410899d968f551c6e

      SHA512

      18808d2f731e2cb4ac5044794c35fcf3b416c13c9322d91ee03973b1763773370d572a70b2dbf7b4f770f122d97fde70b850f959ad4d2238482d0ee0fa0e00a1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      fc5770608def1952a621b3a81b94786c

      SHA1

      d037831da849f15e6e7ed822ee7522481de517d0

      SHA256

      c3c505062cec85a147ea2af3db0f3861e1cc924e1613daee04dcb287d553e821

      SHA512

      cda3323e82a8ed4b865b90d602db7bf81e4cfb2a6946b9c1b576ac9e5629aafa8ceb22fb2f4834b66bdd46c6f94568efe7bd299c7a3377e62566d75d3f61ad0d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

      Filesize

      480B

      MD5

      62c0ecfdece98550744fd912e23adf39

      SHA1

      9b0a8b5b40b989894cfd2666cf54f3c007472154

      SHA256

      2fa4f14eea0a0f10817d6cf37b70435cfb98ab4e1c867fe3b5e7a1e536c4f67a

      SHA512

      3db19546b368c048bef2471ec4e9254b29ca97ac5f98a5d3a0b8161d0f7fdaa54663306f152b968f9c934e10c929f7fbff2245555abe8f3bbf95ac1192bb33b6

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      862KB

      MD5

      69d4343e34285f48ed7d1b02609b6423

      SHA1

      f55b274b8451ef2a943020bb86f6774faa3cd116

      SHA256

      dc1725015e18e586613feed7f94457a14b40c1e3ca87d78543a38f3ab58dfde5

      SHA512

      cfa6af282cba559fdf0cff95e80c17ef5f8306f1e8dc94aaa693cb05047a83a47d0b4ce3960a76d798349d77fb3f6e93455c998e41c6c41e6f3ea70ba8f6e7f9

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      862KB

      MD5

      69d4343e34285f48ed7d1b02609b6423

      SHA1

      f55b274b8451ef2a943020bb86f6774faa3cd116

      SHA256

      dc1725015e18e586613feed7f94457a14b40c1e3ca87d78543a38f3ab58dfde5

      SHA512

      cfa6af282cba559fdf0cff95e80c17ef5f8306f1e8dc94aaa693cb05047a83a47d0b4ce3960a76d798349d77fb3f6e93455c998e41c6c41e6f3ea70ba8f6e7f9

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      862KB

      MD5

      69d4343e34285f48ed7d1b02609b6423

      SHA1

      f55b274b8451ef2a943020bb86f6774faa3cd116

      SHA256

      dc1725015e18e586613feed7f94457a14b40c1e3ca87d78543a38f3ab58dfde5

      SHA512

      cfa6af282cba559fdf0cff95e80c17ef5f8306f1e8dc94aaa693cb05047a83a47d0b4ce3960a76d798349d77fb3f6e93455c998e41c6c41e6f3ea70ba8f6e7f9

    • memory/1320-147-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1320-146-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1320-143-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1320-156-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3996-132-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/3996-140-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/4936-141-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB