Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-09...ck.exe

windows7-x64

10

2024-03-09...ck.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe

  • Size

    1.3MB

  • MD5

    c54566c34316dbefd0d344311b24a766

  • SHA1

    2bf940e1a7773ba76a55a32be936fa513eeb9b34

  • SHA256

    aac15814aec66587435c8e2abc6431ba09300e94de72ae94a8b60f6efad0876b

  • SHA512

    76939f6cf240d31022961d338995567584c067447356dd01f77689e253c5c1e0514038b8bba6b8ef91a4f79357bccb96632e3e5e5b03adb21ee8c6ea60d01e20

  • SSDEEP

    24576:DwxPanDWDAxfy+t4g6cBLi2iYQOlbBTAIUC:8xPpWTjPJplVTjUC

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 16 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe"
    1⤵
    • UAC bypass
    • Sets file execution options in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2876
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe" /rl HIGHEST /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1184
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1172
  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe
    1⤵
      PID:3584
    • C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-03-09_c54566c34316dbefd0d344311b24a766_ransomlock.exe
      1⤵
        PID:2084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2084-193-0x0000000000870000-0x0000000000871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2084-194-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-209-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-163-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-58-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-293-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-270-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-79-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-98-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-123-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-144-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-43-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2876-184-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-36-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-11-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-0-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2876-230-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2876-249-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3584-68-0x0000000000400000-0x0000000000593000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3584-67-0x00000000022D0000-0x00000000022D1000-memory.dmp

        Filesize

        4KB

        Download