Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-03-14...er.exe

windows7-x64

10

2024-03-14...er.exe

windows10-2004-x64

10

Resubmissions

14/03/2024, 08:31

240314-ke728afa2x 10

14/03/2024, 08:26

240314-kb8vcaha74 10

Analysis

  • max time kernel
    79s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe

  • Size

    80KB

  • MD5

    13616e15e6e161bf2c187d4ccff0a74a

  • SHA1

    5dc358621f84c54e25a5127e6c75873b302878c0

  • SHA256

    c16db5977b4fc0999e81d73641a520b05384431102acc29a3976b47bbad97751

  • SHA512

    e65ec8a0258f0046801e84785355c379aaf375b05bf0759bb49d8a89fc289a1ff446d978842f03de96aa76eb07484c92bcf9e7118665f2c2ffc60384c078e41e

  • SSDEEP

    1536:nc2hl9N/IolKfGsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG24m:nc2N/4usrQLOJgY8Zp8LHD4XWaNH71dc

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion > Login: CLIENT > Password: SmZo633AIrS6d8p3qA9c If Tor is restricted in your area, use VPN�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
URLs

https://gdpr-info.eu/

http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (403) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" ☀瓚⛌瓚❰瓚=ř睭=)/c START /b "" cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe" &EXIT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe"
        3⤵
        • Deletes itself
        PID:1976
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2492
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2436
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnblockComplete.asx.crYptA3
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockComplete.asx.crYptA3
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\UnblockComplete.asx.crYptA3
    Filesize

    207KB

    MD5

    f88abd46fb92908160d5c799f89fe431

    SHA1

    a92c782d4203ed7674bf238fbdc5152399a2e60d

    SHA256

    9d389159d53f4952738e65125d1e487ffee54a375b1e851ccb6083be23a095b5

    SHA512

    7801be4fca712aa553a940d56f779ed4e59c34a225d7bea2674f83d384d1ff645809bd7d4ea9f6ea7127ac46f1ff1410801fd7ca6ce9d809e74ad6b9f9cd58f0

    Download Submit

  • C:\Users\readme_for_unlock.txt
    Filesize

    2KB

    MD5

    405c5458425f5bdb2cc6ca2351ba883f

    SHA1

    4f8890c8ee0ea19a7c8986073d78e6dbf396b59c

    SHA256

    fc9dddc880f6b0dd15957f82df4468ae63dbaf67542372357ba7a992ff426a46

    SHA512

    21c5539122414dca1dafe6ad65122c5296514edbe528414e4871e04eaa9390c890dbaa6fb3bb794455da095fc24390c708527c2eb81a230b551d0527bb419402

    Download Submit

  • memory/2436-91-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2436-92-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download