Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2023, 13:50

General

  • Target

    1.exe

  • Size

    1.8MB

  • MD5

    212e77d39264b02290a97c25d692f746

  • SHA1

    6adf30be27fe42380ff57caa8bb1c2b955586941

  • SHA256

    eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18

  • SHA512

    26207731be09241bedc6804f4620c6f132e92c9b4246e12cb9ae3d89ba912b9394a1d6644141154b1b2eb931d365a6aeb1cad37220a60ed4c953e32bffe4a11f

  • SSDEEP

    24576:ZucUS55cDR3NgJ4zJ1H+QI84rncvGt3nE6vlTlFxBkTde/cfkOg:ZucUS55cHgJIzez8+n9Bn3NTlBkYokOg

Score
10/10

Malware Config

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note
All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l . The recovery is only possible with our help. US $14123 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored. Send the Bitcoin to this wallet:13oUavxdk3WEyYbMezT6K1H7X2gWH5MAxu (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!) After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/c8c30be6-dbd5-44d5-b431-ba5aaa7e5e8b/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible. I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time. How to buy the BTC? https://www.binance.com/en/how-to-buy/bitcoin https://www.coinbase.com/how-to-buy/bitcoin Note: Your data are uploaded to our servers before being encrypted, Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others). If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data. ID:a1c71d2236d0ad87e613d1cdb929d4863c19e4cc45f2116abf80ed4aa0dec90e
URLs

http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/c8c30be6-dbd5-44d5-b431-ba5aaa7e5e8b/

https://www.binance.com/en/how-to-buy/bitcoin

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Renames multiple (159) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 16 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1232
      • C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe
        "C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3424
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            4⤵
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4788
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1a4fcd56

      Filesize

      762KB

      MD5

      ad5fa708d3fc77c41a2f98f54c291cec

      SHA1

      37241231a1385508565d1296fc03f1a1d54abee5

      SHA256

      44990806b05613cd9221a752920fa4dccb468a01b891a32ce80f146d6a1c7dc5

      SHA512

      e6462dcb8a459bfd8468ad9cf4e831034fa486b074e8b8bb28e5d82016210fbe3e4c1ec9dd796a1e19bfbf5a6cd468ee4ef1ac5a2cda31ea324bbe932e92fea5

    • C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe

      Filesize

      141KB

      MD5

      704925ecfdb24ef81190b82de0e5453c

      SHA1

      1128b3063180419893615ca73ad4f9dd51ebeac6

      SHA256

      8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

      SHA512

      ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

    • C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe

      Filesize

      141KB

      MD5

      704925ecfdb24ef81190b82de0e5453c

      SHA1

      1128b3063180419893615ca73ad4f9dd51ebeac6

      SHA256

      8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

      SHA512

      ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

    • C:\Users\Admin\AppData\Roaming\scksp\UXCore.dll

      Filesize

      811KB

      MD5

      ded2216d3f8a21fc6d153b74adf1590d

      SHA1

      4e88f13ed1323fbd80e6eed27dec331ed85573f9

      SHA256

      afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e

      SHA512

      3b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f

    • C:\Users\Admin\AppData\Roaming\scksp\UXCore.dll

      Filesize

      811KB

      MD5

      ded2216d3f8a21fc6d153b74adf1590d

      SHA1

      4e88f13ed1323fbd80e6eed27dec331ed85573f9

      SHA256

      afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e

      SHA512

      3b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f

    • C:\Users\Admin\AppData\Roaming\scksp\calico.dbf

      Filesize

      627KB

      MD5

      a153a648485075e40853de20764b9a41

      SHA1

      6b0c520a69691aba9af0fe33ebee2da5bd8f6fed

      SHA256

      e034278b3eb22999365298c7225716b074af31ddedd1cfec183f244885003137

      SHA512

      2b357558cb24d9896f1c4cec2520c2472418487e965817ddd2292a1ffbba464fb7a26e0a30588c34e89000d63d4cb1b4d75eab043a21ba56c82b803d710db049

    • C:\Users\How To Restore Your Files.txt

      Filesize

      1KB

      MD5

      d3dc812830f2d392c54c5e7dae674c18

      SHA1

      e6c5126a0c45491d056df98cbf66338fc1628b6d

      SHA256

      9ea655ff1de3333fbadaa7e52389b5e6979f03c3add6afd72255d8be8603e97e

      SHA512

      23fafaf82d7e734bcb92a065b61ea3578c81750e3c9ad598c8429eb1e88c5eea25f8dc587258a5a096fdda3d200f68fed6cbe5fbd88b30d2f836291444c8c735

    • memory/1232-1-0x00007FFB49660000-0x00007FFB4998D000-memory.dmp

      Filesize

      3.2MB

    • memory/2988-12-0x0000000073C70000-0x0000000074EC4000-memory.dmp

      Filesize

      18.3MB

    • memory/3424-16-0x00007FFB5AC70000-0x00007FFB5AE65000-memory.dmp

      Filesize

      2.0MB

    • memory/3424-17-0x0000000073C70000-0x0000000074EC4000-memory.dmp

      Filesize

      18.3MB

    • memory/3424-18-0x0000000073C70000-0x0000000074EC4000-memory.dmp

      Filesize

      18.3MB

    • memory/3424-22-0x0000000073C70000-0x0000000074EC4000-memory.dmp

      Filesize

      18.3MB

    • memory/3424-14-0x0000000073C70000-0x0000000074EC4000-memory.dmp

      Filesize

      18.3MB