Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

38b3ad07b3...c8.exe

windows7-x64

10

38b3ad07b3...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8.exe

  • Size

    344KB

  • MD5

    73b6567e0fb62eeb98aeaa8af712c650

  • SHA1

    a540265e45623ef70377b6d21118b732835a8337

  • SHA256

    38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8

  • SHA512

    2e03cdb91083ad989caa260fde1646f011a3632067495ff18367056c7873a804fc9898b8462fd8736ac0d351472d61fb789cf3383b16f28d1cef5551e1041c71

  • SSDEEP

    6144:h04sqI3VM+bMHClEf6HCAW3/hpb7BuHRaumHyxaK3yaFPR65n:C4sx3VNbMilED5v3CRPsykK3DF

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\PerfLogs\{RecOveR}-guexu__.Txt

Ransom Note
'=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/E8F7436B6D893B0 http://aq3ef.goimocoa.at/E8F7436B6D893B0 http://fl43s.toabolt.at/E8F7436B6D893B0 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/E8F7436B6D893B0 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/E8F7436B6D893B0 http://aq3ef.goimocoa.at/E8F7436B6D893B0 http://fl43s.toabolt.at/E8F7436B6D893B0 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/E8F7436B6D893B0 Your personal ID E8F7436B6D893B0 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8 '=1&%0$'2*<"*/:'.!(9-!!"; 19;"8
URLs

http://h3ds4.maconslab.com/E8F7436B6D893B0

http://aq3ef.goimocoa.at/E8F7436B6D893B0

http://fl43s.toabolt.at/E8F7436B6D893B0

http://xzjvzkgjxebzreap.onion/E8F7436B6D893B0

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8.exe
    "C:\Users\Admin\AppData\Local\Temp\38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1696
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\38B3AD~1.EXE >> NUL
      2⤵
        PID:4104
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\{RecOveR}-guexu__.Htm
      Filesize

      9KB

      MD5

      624107b72ceed0515a338882e1fc4a93

      SHA1

      31fc0e112cbaa5ab83b3086098ce3b141501b4c1

      SHA256

      4cfd088b8891d94e54f181f416df0b42eea25d4e89c427d0ef6592b6ed4e71d5

      SHA512

      f1906c0adffc53b1cb53ce100032b2513f36af4acc52e8c4851d03b64e652fc97395d55c925335a52c8ca82ce0a73bc570eb04992431308020b85d1442232a1c

      Download Submit

    • C:\PerfLogs\{RecOveR}-guexu__.Png
      Filesize

      91KB

      MD5

      5d65e4f314384f1c6fa0fe49569e3062

      SHA1

      05db538b0bfc923c6616c0f2714ea658771397ce

      SHA256

      46dcbd8bb43b7e9c4f69434274bb5b913704e2870a1a9965e520f8017d214b20

      SHA512

      8cf99ef59ce3de0c1faf5777b4a51b48f66064d12e7339d1b6b299f2321f41c724cff5f6d05d326efaf65404c0a8b80e5edafed6e12b704971494580b38ac214

      Download Submit

    • C:\PerfLogs\{RecOveR}-guexu__.Txt
      Filesize

      2KB

      MD5

      abe00106cf36d3d17c92e04fec272af2

      SHA1

      ef95857f38eed87ade7f37fc9440b40739baabe5

      SHA256

      1213fa836aa49733ac93dd3e936d9c6f28007eb8b4902300511b6a336e609031

      SHA512

      1cecad919d8b7c1fc07adcc8ea18ef0c08b0c504a669555fa13ed5e38481efac1ffb53d13daa84f83873cf40f1a8afa5ff81c7e89e56fdc8e0177160388517d7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      Filesize

      344KB

      MD5

      73b6567e0fb62eeb98aeaa8af712c650

      SHA1

      a540265e45623ef70377b6d21118b732835a8337

      SHA256

      38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8

      SHA512

      2e03cdb91083ad989caa260fde1646f011a3632067495ff18367056c7873a804fc9898b8462fd8736ac0d351472d61fb789cf3383b16f28d1cef5551e1041c71

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      Filesize

      344KB

      MD5

      73b6567e0fb62eeb98aeaa8af712c650

      SHA1

      a540265e45623ef70377b6d21118b732835a8337

      SHA256

      38b3ad07b35d7dcbd054e87295ee1d60ab2f894111d458e88c6c183cd7ffefc8

      SHA512

      2e03cdb91083ad989caa260fde1646f011a3632067495ff18367056c7873a804fc9898b8462fd8736ac0d351472d61fb789cf3383b16f28d1cef5551e1041c71

      Download Submit

    • memory/1696-119-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-45-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-60-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-90-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-11-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

      Filesize

      228KB

      Download

    • memory/1696-148-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-476-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/1696-484-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/4128-12-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/4128-13-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

      Filesize

      228KB

      Download

    • memory/4128-1-0x0000000000570000-0x0000000000571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4128-3-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

      Filesize

      228KB

      Download

    • memory/4128-0-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

      Download