Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
29/08/2023, 13:50
General
-
Target
1.exe
-
Size
1.8MB
-
MD5
212e77d39264b02290a97c25d692f746
-
SHA1
6adf30be27fe42380ff57caa8bb1c2b955586941
-
SHA256
eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18
-
SHA512
26207731be09241bedc6804f4620c6f132e92c9b4246e12cb9ae3d89ba912b9394a1d6644141154b1b2eb931d365a6aeb1cad37220a60ed4c953e32bffe4a11f
-
SSDEEP
24576:ZucUS55cDR3NgJ4zJ1H+QI84rncvGt3nE6vlTlFxBkTde/cfkOg:ZucUS55cHgJIzez8+n9Bn3NTlBkYokOg
Malware Config
Extracted
C:\Users\How To Restore Your Files.txt
http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/c8c30be6-dbd5-44d5-b431-ba5aaa7e5e8b/
https://www.binance.com/en/how-to-buy/bitcoin
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 16 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD5ad5fa708d3fc77c41a2f98f54c291cec
SHA137241231a1385508565d1296fc03f1a1d54abee5
SHA25644990806b05613cd9221a752920fa4dccb468a01b891a32ce80f146d6a1c7dc5
SHA512e6462dcb8a459bfd8468ad9cf4e831034fa486b074e8b8bb28e5d82016210fbe3e4c1ec9dd796a1e19bfbf5a6cd468ee4ef1ac5a2cda31ea324bbe932e92fea5
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
811KB
MD5ded2216d3f8a21fc6d153b74adf1590d
SHA14e88f13ed1323fbd80e6eed27dec331ed85573f9
SHA256afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e
SHA5123b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f
-
Filesize
811KB
MD5ded2216d3f8a21fc6d153b74adf1590d
SHA14e88f13ed1323fbd80e6eed27dec331ed85573f9
SHA256afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e
SHA5123b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f
-
Filesize
627KB
MD5a153a648485075e40853de20764b9a41
SHA16b0c520a69691aba9af0fe33ebee2da5bd8f6fed
SHA256e034278b3eb22999365298c7225716b074af31ddedd1cfec183f244885003137
SHA5122b357558cb24d9896f1c4cec2520c2472418487e965817ddd2292a1ffbba464fb7a26e0a30588c34e89000d63d4cb1b4d75eab043a21ba56c82b803d710db049
-
Filesize
1KB
MD5d3dc812830f2d392c54c5e7dae674c18
SHA1e6c5126a0c45491d056df98cbf66338fc1628b6d
SHA2569ea655ff1de3333fbadaa7e52389b5e6979f03c3add6afd72255d8be8603e97e
SHA51223fafaf82d7e734bcb92a065b61ea3578c81750e3c9ad598c8429eb1e88c5eea25f8dc587258a5a096fdda3d200f68fed6cbe5fbd88b30d2f836291444c8c735
-
Filesize
3.2MB
-
Filesize
18.3MB
-
Filesize
2.0MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB