Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
26/11/2022, 17:19
General
-
Target
b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2.exe
-
Size
323KB
-
MD5
9b9bf35eedda09aa86f25333114dd1d4
-
SHA1
f64f3f72db97b3c9119284f7ca4d641c41805aa0
-
SHA256
b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2
-
SHA512
038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb
-
SSDEEP
6144:D5tAt50415jKxZEu4ulgR/nkKmaDRZ/P/e:DnAt5PjKDLinDne
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-stzhzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-stzhzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2.exe"C:\Users\Admin\AppData\Local\Temp\b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9B542B09-DC55-4B33-90E2-F1FDE73DAABD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD5155f66085319542afa3a93b4e18e3add
SHA15910fd5aca17ed70fd96f40072c402c71f932050
SHA25627c293207458f47d76111483d4d030716325e75a19b91137c2e6f2b7a2520efa
SHA512745291e02f33d7ebd0ae4a018de91d878d53428f077cc705916fb1af92f23de7918b42af48fc322314b34d4f88833407d2780c42fec789c0fda52276f2c6c1c6
-
Filesize
654B
MD558c52e8663992c1e3e520b86f1b914d3
SHA18e1afc86ec5c0081fb7fd7b830bade7101d219fc
SHA2562dd86f5d9b71d4fc5ea5c691fe50b64a63fd2a6d41fcdaa243cebfc7b8267ff5
SHA51217f1921bbab2966a9199e4fadf592e43b422ce6bb53c7afcd164e5d71aae606a6f042523708ebc29d05698cb833ea00167ac312dfa3e3c40ea1dcb9c85b2ced8
-
Filesize
654B
MD560feffcc2f7423582daec690439e2135
SHA159c59d2010d93515af822c6c381bf34b04cc963f
SHA256f41f2103f0a0af7d3c79e40e7be0c138785b50aefccd7265b7ec91a1dbaa02ba
SHA512ee1aee9be61137a2fc52ea5645f3576a349cb64dc413baddc2f2090bf9a8fbbdb8b825b897a67681bac9fc1a49608239261123241ca9e23a31d978c056b9cd91
-
Filesize
654B
MD560feffcc2f7423582daec690439e2135
SHA159c59d2010d93515af822c6c381bf34b04cc963f
SHA256f41f2103f0a0af7d3c79e40e7be0c138785b50aefccd7265b7ec91a1dbaa02ba
SHA512ee1aee9be61137a2fc52ea5645f3576a349cb64dc413baddc2f2090bf9a8fbbdb8b825b897a67681bac9fc1a49608239261123241ca9e23a31d978c056b9cd91
-
Filesize
63KB
MD55e77006af65f981fb4025cc9a509805a
SHA1a480f9f87bf5994b7c9549d04c755e8b32c7d5bf
SHA256b864567073542f66ac46e5cc4c063a6c39ee7ed72d19628f3422a8e0ca8b993e
SHA512019e6637d6860f9408ed491343d349b32807c5be38ecf5d71f48c1fbc4b4554b6c19de9a72c89c648a0b78a8c80d732331242ce91ca7607cde6d2d6d63e73b7c
-
Filesize
323KB
MD59b9bf35eedda09aa86f25333114dd1d4
SHA1f64f3f72db97b3c9119284f7ca4d641c41805aa0
SHA256b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2
SHA512038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb
-
Filesize
323KB
MD59b9bf35eedda09aa86f25333114dd1d4
SHA1f64f3f72db97b3c9119284f7ca4d641c41805aa0
SHA256b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2
SHA512038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb
-
Filesize
323KB
MD59b9bf35eedda09aa86f25333114dd1d4
SHA1f64f3f72db97b3c9119284f7ca4d641c41805aa0
SHA256b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2
SHA512038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb
-
Filesize
476KB
-
Filesize
8KB
-
Filesize
476KB
-
Filesize
436KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
436KB
-
Filesize
1.2MB
-
Filesize
1.0MB
-
Filesize
20KB
-
Filesize
436KB
-
Filesize
1.2MB