Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-14...er.exe

windows7-x64

10

2024-03-14...er.exe

windows10-2004-x64

10

Resubmissions

14/03/2024, 08:31

240314-ke728afa2x 10

14/03/2024, 08:26

240314-kb8vcaha74 10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe

  • Size

    80KB

  • MD5

    13616e15e6e161bf2c187d4ccff0a74a

  • SHA1

    5dc358621f84c54e25a5127e6c75873b302878c0

  • SHA256

    c16db5977b4fc0999e81d73641a520b05384431102acc29a3976b47bbad97751

  • SHA512

    e65ec8a0258f0046801e84785355c379aaf375b05bf0759bb49d8a89fc289a1ff446d978842f03de96aa76eb07484c92bcf9e7118665f2c2ffc60384c078e41e

  • SSDEEP

    1536:nc2hl9N/IolKfGsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG24m:nc2N/4usrQLOJgY8Zp8LHD4XWaNH71dc

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\MSOCache\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion > Login: CLIENT > Password: SmZo633AIrS6d8p3qA9c If Tor is restricted in your area, use VPN�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
URLs

https://gdpr-info.eu/

http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (377) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2620
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" ☀瑾⛌瑾❰瑾杻<ř眑飯<)/c START /b "" cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe" &EXIT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe"
        3⤵
        • Deletes itself
        PID:1676
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\readme_for_unlock.txt
    Filesize

    2KB

    MD5

    405c5458425f5bdb2cc6ca2351ba883f

    SHA1

    4f8890c8ee0ea19a7c8986073d78e6dbf396b59c

    SHA256

    fc9dddc880f6b0dd15957f82df4468ae63dbaf67542372357ba7a992ff426a46

    SHA512

    21c5539122414dca1dafe6ad65122c5296514edbe528414e4871e04eaa9390c890dbaa6fb3bb794455da095fc24390c708527c2eb81a230b551d0527bb419402

    Download Submit