Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

350ba7fca6...bd.exe

windows7-x64

9

350ba7fca6...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd.exe

  • Size

    737KB

  • MD5

    0bf7bc20496143a9f028e77ab47b4698

  • SHA1

    aa54013aeb502b4a936331deb76a6411f1f1ade7

  • SHA256

    350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd

  • SHA512

    5e94cd77c4ad6dfa1064915ca0f4d117a2e3a4e924d05a16df0b223a5a0cbcb6124627e41d184aa0584f3ff3bbd5f9f913964887c7eb140e105317d4f5709981

  • SSDEEP

    12288:bO+sm75a7DI9Mv53VI/XfaUs442JbV24chSS1i2wZbDFMMWzVFq:rh75a7M9S3VYa4npY4cFM2MWhY

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\instructions_read_me.txt

Ransom Note
ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Login ID: 2943b2b6-dc20-44a7-9dc4-94f7cb67f695 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd.exe
    "C:\Users\Admin\AppData\Local\Temp\350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4088
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3856-133-0x0000000002EE0000-0x0000000002F73000-memory.dmp

    Filesize

    588KB

    Download

  • memory/3856-134-0x0000000000450000-0x0000000000529000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3856-136-0x0000000000450000-0x0000000000529000-memory.dmp

    Filesize

    868KB

    Download