Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

284b37c477...ff.exe

windows7-x64

10

284b37c477...ff.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    128s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21/12/2023, 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    284b37c4771f4dcf91a37348014e04ff.exe

  • Size

    928KB

  • MD5

    284b37c4771f4dcf91a37348014e04ff

  • SHA1

    211e5aa4cc0451aa252660576fc5c6a1961667fd

  • SHA256

    749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

  • SHA512

    dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

  • SSDEEP

    24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\ProgramData\pkbwrrm.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\284b37c4771f4dcf91a37348014e04ff.exe
      "C:\Users\Admin\AppData\Local\Temp\284b37c4771f4dcf91a37348014e04ff.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\AppData\Local\Temp\284b37c4771f4dcf91a37348014e04ff.exe
        "C:\Users\Admin\AppData\Local\Temp\284b37c4771f4dcf91a37348014e04ff.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2296
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:320
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        2⤵
          PID:676
        • C:\Windows\system32\wbem\wmiprvse.exe
          C:\Windows\system32\wbem\wmiprvse.exe -Embedding
          2⤵
            PID:1372
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {92230B5E-56A3-4D1C-AA16-4C4F56C88D55} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
            C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
              "C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows all
                4⤵
                • Interacts with shadow copies
                PID:2892
              • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
                "C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe" -u
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
                  "C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:2928
                • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
                  "C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:2948
                • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
                  "C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:2936

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Adobe\bpesreh
          Filesize

          654B

          MD5

          87ad07ba7334fa97174e4ba706bdf281

          SHA1

          f3e24acf28ba050c5f95e7a70835598348fbc535

          SHA256

          b360b81afbe5dffee2088e30b90788d5ddfdc4eb4d66639bf0ae39031445ca71

          SHA512

          1eb260f36ecf2ae5cc878a04db9b2617c02649dd582c9d29f96c2a0c5158a22150aabde891165d97bc083577b657168e0c79c62d15d15c336cde560380cbc765

          Download Submit

        • C:\ProgramData\Adobe\bpesreh
          Filesize

          654B

          MD5

          6a754f34b885bdf4ea454512568fbdf5

          SHA1

          ea805b6828f82284f3afca09faf1f638ee56e7b6

          SHA256

          a459940cc1fc640686388e3d285bbc414d11de50374bbd18dd101c17d2bf03b7

          SHA512

          01a77e388b2c1395f660f7c333c1fb1c7e5eb188db4844d89b5f51144a22bb6b513339122dee41bd9a10dff90d4e8f3f42e757ec777866f11e3b57906d9372f4

          Download Submit

        • C:\ProgramData\Adobe\bpesreh
          Filesize

          654B

          MD5

          d22f87be21e10ecc90516eb647780d0b

          SHA1

          483b5b97896f88e19ce26f9afb8b816a74c1157a

          SHA256

          8c9b00e117fe71d261a985d2aec1209004a0f80eec3976bcdd206bfd05807408

          SHA512

          f26b93bd919734cd1b90aba095e83ad6d89dc070357a55724b635fae1a8385f2747bdf3c6736a453afc49cefbc6a2c8a41c3a5ea5fc29c45623cb09ad22af492

          Download Submit

        • C:\ProgramData\Adobe\bpesreh
          Filesize

          654B

          MD5

          c5d81c8f8314048eb0257705a7752467

          SHA1

          8e362b0499fc68c6cdf4d02edf62757e58d3c3d9

          SHA256

          437e83056b5c02c41eab5bd6c504fd1d40a347a226375634d40e41a1d0b37125

          SHA512

          ce855021b65f50db6b36f3150b7b8bc6b8126a15fa9d5b7dc95d087575afe8fc41fe4818c54ca09b487be1f4571e29c9420596c64ebf4995a73e4f1494cfb5b2

          Download Submit

        • C:\ProgramData\pkbwrrm.html
          Filesize

          62KB

          MD5

          349277e0e23cd890f923833094c925b2

          SHA1

          05d64776612c10ff55d4d6e5649811f67b830456

          SHA256

          7c41d542d6be1498520fccadc6b7d48753e1f19b2d191b8c5ce4a6811fdd0f99

          SHA512

          c9901e6f8e0ef051efb9b21268a2cdbd6ef1ba5d28369aea25a677f7dd04fbe503585434e9b056b691be3c5553c5135b4f85c0bfe186d99d344a89c6b412c83f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          132KB

          MD5

          d336d997ff82a6df0d7cb6a24833ccf9

          SHA1

          3d446a7f1950411df00f2cafb8575f70a43c8c43

          SHA256

          ae5d4443ddb9e7edc8307d72c4b59831a213871d6024c7233020a8b4cb5a2e82

          SHA512

          2dbfa7630710147e7be42838f17a630276ec0be24ba7211e252918f0df0699532f51e8b687c23f061954fe2f8a395a5aa4e5c3ebdff044a6ceda23ff21cd6763

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          150KB

          MD5

          ac9d5f82bfd8ad45d90b1352ceb87e3a

          SHA1

          5fd4ad84e45fc703c2a05862c02d035aaecc4555

          SHA256

          62d007fd423824984a74a40f41e016a5fc6366cfb3b00df3786afb19545d20a8

          SHA512

          b76b05ca7134da101ef348172598d4ec3980557f73a226976242a0cd441b22bc76b67a183eeb9278c66348986c005a5848491a41c8156dc08b606f84242eff04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          113KB

          MD5

          139a70171c7ac73e058db40c3bb3a016

          SHA1

          4731e15e8c54d2de81371801fa055a6615e8ff5b

          SHA256

          44f4ef600cb697460d37d4e1b14484eabc43fde47cb9acbac14a2d674e283876

          SHA512

          531394ec42d9e4000a121d7fcebd19bccc8506ae679dce92a37fd0f5ad9f8972ee4ce8f13c506c8dd6f3a7e1a061fcfab8df3c5808cb1ab0b38985a80a8f3b9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          79KB

          MD5

          238e2816e0ca864b799b63f55a190b72

          SHA1

          8adb66945558cbb72f3b04784d1a3feb4b4fb9c0

          SHA256

          aae6e0bd39182cf1e1afd2da553f62fcfddcd0a8cc8150d77f0b9c7ea2a1c0f9

          SHA512

          be0d97d5db0b0823f34e84f0c3d36d2cc4e620a35876c9bbba0fff8bac2ccac1dc815e20153e8ee12d76027099e8a6600c1d6ab1a0def2f68a013f23a2d199a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          122KB

          MD5

          126f647d0681736dd232fce95e524336

          SHA1

          580ebfc6cbcd942da70bbf0e1d9f3c75d9a6e5a9

          SHA256

          8536cca15fbc6ab1a252615ffebed52bdae7488c772e9583de9b266de1357498

          SHA512

          d893f1728de1d42d6b88083aad47feafdbcf1906b229a3cb75b3d3c0db4c6f64180cbd01e77768de6d425a0b275c83c6ba647c7978b6c7a28c0d2ba1ac2adc26

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          136KB

          MD5

          ce8a6ffc3e56bd4e188d6b234aeda8a3

          SHA1

          cb27f4c089446ecb5f2d21a65b02b3aaa7a17f32

          SHA256

          6228ad2a257dc0f0a2e76c58a6bca47e948b586c8dc3f00166188481f7170472

          SHA512

          e923b855f5c268fffdcc832abd377ca9a659ac0ceff8e337632032a51fc8e01723c908c24e6db9315113563df3e6d101250c9cfb56ed16adfc412f635f65678c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          126KB

          MD5

          84390bb82c76550a18e0e4e571677269

          SHA1

          01601e7c1db5e478ae75962bfcef406776ea96d1

          SHA256

          ba77d1ae087c1104a16c9bd64b4815c15d12de70794c7802f17747fb891e3a00

          SHA512

          488b7a7a16fb0b3b68047bd9faa8f009690495990cf179698ec6e29d1af19bb8041641ca5289118c0814c3d689cea0875759c4ac18fc85a8ac8c91f514e05cf8

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wvatrqa.exe
          Filesize

          81KB

          MD5

          d8720109538a5849af611535f8404ec3

          SHA1

          5c3fdd41b90a50c5cb8b967d31887b3a1ba47a82

          SHA256

          92cfea4b8aea58eeca16255e579f3c94be50aface87a22865a5cd2bbd062ab9d

          SHA512

          12fcb9d3a851e4e443832200db995c8a32b7c4500683c0c07c9bd131b0d9570f43f13a33967d038541bc488aeae1032fe642f1b1b84974549a8b7adb3fca2c93

          Download Submit

        • memory/604-38-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-39-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-53-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-47-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-41-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-42-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-1253-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-45-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/604-48-0x0000000000590000-0x0000000000607000-memory.dmp

          Filesize

          476KB

          Download

        • memory/1532-1277-0x0000000074BB0000-0x000000007515B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1532-1294-0x0000000074BB0000-0x000000007515B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1532-1278-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1532-1279-0x0000000074BB0000-0x000000007515B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1928-32-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1928-19-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1928-20-0x0000000000C60000-0x0000000000CA0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2216-2-0x0000000074D70000-0x000000007531B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2216-12-0x0000000074D70000-0x000000007531B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2216-0-0x0000000074D70000-0x000000007531B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2216-1-0x00000000000E0000-0x0000000000120000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2296-5-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2296-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2296-13-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2296-14-0x0000000000620000-0x000000000083A000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2296-15-0x0000000000AC0000-0x0000000000D0B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2296-7-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2296-3-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2808-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2808-35-0x00000000008D0000-0x0000000000B1B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2808-1265-0x00000000008D0000-0x0000000000B1B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1295-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1296-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1287-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-1297-0x0000000000100000-0x0000000000101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-1300-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1299-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1302-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2928-1303-0x0000000000B50000-0x0000000000D9B000-memory.dmp

          Filesize

          2.3MB

          Download