Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

73b4c516c2...af.exe

windows7-x64

10

73b4c516c2...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe

  • Size

    212KB

  • MD5

    0dc7a3ddfc6a8526d901a4bf1a582771

  • SHA1

    3aa3708c82128733553f8b04cb0003358643ee23

  • SHA256

    73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf

  • SHA512

    5fd2fb6e661a3cc518b388612afbdd7327f64fe71f4f6b27a4ddec0db15ccc24f93f16781981877dbe55e8a5d471734abc630e601af2ecc50aa687ab3dcf7f6c

  • SSDEEP

    3072:cU5iX+kkrOhuHFDuQrE99FEx/eOyUQBuz4q6fSIZgvOHNrR/iXs:cyiX+kiOhucEZyUQBgvNaskrR/i8

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\BfUuixlUp.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 29B1ABFE687F6B83C263ABF30B52BC0F << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (168) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe
    "C:\Users\Admin\AppData\Local\Temp\73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2812
    • C:\ProgramData\D94F.tmp
      "C:\ProgramData\D94F.tmp"
      2⤵
        PID:2440
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:828

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      abd7c2f155046aa096ef92d8edc8b9c2

      SHA1

      3fcbf1281b4e8cecd145a41f5a25f549aa67d604

      SHA256

      7ad84e89e9e1df36db058b898d31fe33023d7749a521cc511c7d9489a6665023

      SHA512

      c7e76e9bf3373d0704a2e83966b7ebe2f49641dbbe190e9b22f36f7143b26fad82b03793d0a2cf70a19635920b4ded32a52f007acffb15a810deb445a40a5d0b

      Download Submit

    • C:\ProgramData\D94F.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\BfUuixlUp.README.txt
      Filesize

      2KB

      MD5

      32ab0f5907d75aa61a2034fee73a0a44

      SHA1

      d458db1e27972a833781f14ed557b8f974a590dc

      SHA256

      fa2b8ef4874e99dc8f433912931fe097ddaf99cab5079e479a31dbbb1f889ba3

      SHA512

      5e1676d22d4a60f93b564ab82cd01d2a1ec38834a892ec7b7930d2f819895a5e24f12bd353eff08fa3cfaa8d851247a03a22192d985ae12fede932c36cb54d3f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      28416a70848ea7f7a1f3f2bcb4ed806d

      SHA1

      3baafc86ac07dc07bfcd8faab667c33f481380bc

      SHA256

      2cfa1660940fdbf39ddafb3b18a6ef651df4ca7edc7a836814d37762a3751718

      SHA512

      a4151e294bdef08134abe35511b3d44a5f74b49e89373b4e0a2834e52e2b6201a51f7083532903a5c3af2aa50ee648c9161d43c9be328cefeca16145e6be1cb7

      Download Submit

    • memory/2812-1-0x0000000002400000-0x0000000002500000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2812-2-0x0000000000400000-0x00000000022DD000-memory.dmp

      Filesize

      30.9MB

      Download

    • memory/2812-3-0x0000000000220000-0x0000000000249000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2812-4-0x0000000003D10000-0x0000000003D50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2812-88-0x0000000000400000-0x00000000022DD000-memory.dmp

      Filesize

      30.9MB

      Download

    • memory/2812-296-0x0000000000400000-0x00000000022DD000-memory.dmp

      Filesize

      30.9MB

      Download

    • memory/2812-297-0x0000000002400000-0x0000000002500000-memory.dmp

      Filesize

      1024KB

      Download