Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2023, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230703-en
General
-
Target
1.exe
-
Size
1.8MB
-
MD5
212e77d39264b02290a97c25d692f746
-
SHA1
6adf30be27fe42380ff57caa8bb1c2b955586941
-
SHA256
eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18
-
SHA512
26207731be09241bedc6804f4620c6f132e92c9b4246e12cb9ae3d89ba912b9394a1d6644141154b1b2eb931d365a6aeb1cad37220a60ed4c953e32bffe4a11f
-
SSDEEP
24576:ZucUS55cDR3NgJ4zJ1H+QI84rncvGt3nE6vlTlFxBkTde/cfkOg:ZucUS55cHgJIzez8+n9Bn3NTlBkYokOg
Malware Config
Extracted
C:\Users\How To Restore Your Files.txt
http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/c8c30be6-dbd5-44d5-b431-ba5aaa7e5e8b/
https://www.binance.com/en/how-to-buy/bitcoin
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1232 created 2556 1232 1.exe 43 -
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2988 Dashboard.exe -
Loads dropped DLL 1 IoCs
pid Process 2988 Dashboard.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Searches\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Documents\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini explorer.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Music\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini explorer.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2988 set thread context of 3424 2988 Dashboard.exe 87 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1232 1.exe 1232 1.exe 2988 Dashboard.exe 3424 cmd.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe 2136 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2988 Dashboard.exe 3424 cmd.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2784 vssvc.exe Token: SeRestorePrivilege 2784 vssvc.exe Token: SeAuditPrivilege 2784 vssvc.exe Token: SeIncreaseQuotaPrivilege 4788 WMIC.exe Token: SeSecurityPrivilege 4788 WMIC.exe Token: SeTakeOwnershipPrivilege 4788 WMIC.exe Token: SeLoadDriverPrivilege 4788 WMIC.exe Token: SeSystemProfilePrivilege 4788 WMIC.exe Token: SeSystemtimePrivilege 4788 WMIC.exe Token: SeProfSingleProcessPrivilege 4788 WMIC.exe Token: SeIncBasePriorityPrivilege 4788 WMIC.exe Token: SeCreatePagefilePrivilege 4788 WMIC.exe Token: SeBackupPrivilege 4788 WMIC.exe Token: SeRestorePrivilege 4788 WMIC.exe Token: SeShutdownPrivilege 4788 WMIC.exe Token: SeDebugPrivilege 4788 WMIC.exe Token: SeSystemEnvironmentPrivilege 4788 WMIC.exe Token: SeRemoteShutdownPrivilege 4788 WMIC.exe Token: SeUndockPrivilege 4788 WMIC.exe Token: SeManageVolumePrivilege 4788 WMIC.exe Token: 33 4788 WMIC.exe Token: 34 4788 WMIC.exe Token: 35 4788 WMIC.exe Token: 36 4788 WMIC.exe Token: SeIncreaseQuotaPrivilege 4788 WMIC.exe Token: SeSecurityPrivilege 4788 WMIC.exe Token: SeTakeOwnershipPrivilege 4788 WMIC.exe Token: SeLoadDriverPrivilege 4788 WMIC.exe Token: SeSystemProfilePrivilege 4788 WMIC.exe Token: SeSystemtimePrivilege 4788 WMIC.exe Token: SeProfSingleProcessPrivilege 4788 WMIC.exe Token: SeIncBasePriorityPrivilege 4788 WMIC.exe Token: SeCreatePagefilePrivilege 4788 WMIC.exe Token: SeBackupPrivilege 4788 WMIC.exe Token: SeRestorePrivilege 4788 WMIC.exe Token: SeShutdownPrivilege 4788 WMIC.exe Token: SeDebugPrivilege 4788 WMIC.exe Token: SeSystemEnvironmentPrivilege 4788 WMIC.exe Token: SeRemoteShutdownPrivilege 4788 WMIC.exe Token: SeUndockPrivilege 4788 WMIC.exe Token: SeManageVolumePrivilege 4788 WMIC.exe Token: 33 4788 WMIC.exe Token: 34 4788 WMIC.exe Token: 35 4788 WMIC.exe Token: 36 4788 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2988 1232 1.exe 84 PID 1232 wrote to memory of 2988 1232 1.exe 84 PID 1232 wrote to memory of 2988 1232 1.exe 84 PID 2988 wrote to memory of 3424 2988 Dashboard.exe 87 PID 2988 wrote to memory of 3424 2988 Dashboard.exe 87 PID 2988 wrote to memory of 3424 2988 Dashboard.exe 87 PID 2988 wrote to memory of 3424 2988 Dashboard.exe 87 PID 3424 wrote to memory of 2136 3424 cmd.exe 94 PID 3424 wrote to memory of 2136 3424 cmd.exe 94 PID 3424 wrote to memory of 2136 3424 cmd.exe 94 PID 3424 wrote to memory of 2136 3424 cmd.exe 94 PID 2136 wrote to memory of 2792 2136 explorer.exe 97 PID 2136 wrote to memory of 2792 2136 explorer.exe 97 PID 2792 wrote to memory of 4788 2792 cmd.exe 99 PID 2792 wrote to memory of 4788 2792 cmd.exe 99 PID 3424 wrote to memory of 2136 3424 cmd.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232
-
-
C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\explorer.exeC:\Windows\explorer.exe4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete5⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73AD26BD-FDA9-4EE4-8F57-AA32567F7C78}'" delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD5ad5fa708d3fc77c41a2f98f54c291cec
SHA137241231a1385508565d1296fc03f1a1d54abee5
SHA25644990806b05613cd9221a752920fa4dccb468a01b891a32ce80f146d6a1c7dc5
SHA512e6462dcb8a459bfd8468ad9cf4e831034fa486b074e8b8bb28e5d82016210fbe3e4c1ec9dd796a1e19bfbf5a6cd468ee4ef1ac5a2cda31ea324bbe932e92fea5
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
811KB
MD5ded2216d3f8a21fc6d153b74adf1590d
SHA14e88f13ed1323fbd80e6eed27dec331ed85573f9
SHA256afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e
SHA5123b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f
-
Filesize
811KB
MD5ded2216d3f8a21fc6d153b74adf1590d
SHA14e88f13ed1323fbd80e6eed27dec331ed85573f9
SHA256afc54cb0bddc0856783dc6900476b7b0de2a6b82f55b102dae04e2ebfebdc46e
SHA5123b7a180bd3a4c5017defea7cebe731795933be33a78b0c1063f1fc8378e1d656d4ac5aeeb3b89b288af1b5101fb3bca28375753f71f4a24389bd4673bb7a9a0f
-
Filesize
627KB
MD5a153a648485075e40853de20764b9a41
SHA16b0c520a69691aba9af0fe33ebee2da5bd8f6fed
SHA256e034278b3eb22999365298c7225716b074af31ddedd1cfec183f244885003137
SHA5122b357558cb24d9896f1c4cec2520c2472418487e965817ddd2292a1ffbba464fb7a26e0a30588c34e89000d63d4cb1b4d75eab043a21ba56c82b803d710db049
-
Filesize
1KB
MD5d3dc812830f2d392c54c5e7dae674c18
SHA1e6c5126a0c45491d056df98cbf66338fc1628b6d
SHA2569ea655ff1de3333fbadaa7e52389b5e6979f03c3add6afd72255d8be8603e97e
SHA51223fafaf82d7e734bcb92a065b61ea3578c81750e3c9ad598c8429eb1e88c5eea25f8dc587258a5a096fdda3d200f68fed6cbe5fbd88b30d2f836291444c8c735