Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

73b4c516c2...af.exe

windows7-x64

10

73b4c516c2...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe

  • Size

    212KB

  • MD5

    0dc7a3ddfc6a8526d901a4bf1a582771

  • SHA1

    3aa3708c82128733553f8b04cb0003358643ee23

  • SHA256

    73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf

  • SHA512

    5fd2fb6e661a3cc518b388612afbdd7327f64fe71f4f6b27a4ddec0db15ccc24f93f16781981877dbe55e8a5d471734abc630e601af2ecc50aa687ab3dcf7f6c

  • SSDEEP

    3072:cU5iX+kkrOhuHFDuQrE99FEx/eOyUQBuz4q6fSIZgvOHNrR/iXs:cyiX+kiOhucEZyUQBgvNaskrR/i8

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\BfUuixlUp.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 29B1ABFE687F6B830B58D66FEA3DEAA8 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (163) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Program crash 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe
    "C:\Users\Admin\AppData\Local\Temp\73b4c516c21979840ac94aa1db830d0b2d6ad2746c7d89a5bd76d36190bbdbaf.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\ProgramData\A7D4.tmp
      "C:\ProgramData\A7D4.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:4216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1424
      2⤵
      • Program crash
      PID:2180
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5012 -ip 5012
    1⤵
      PID:1452
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:960

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        eefea10bdbf7819fd81fc69face6f45f

        SHA1

        d9edf6a58dbd7f68c430a84bd91da6f3be9892c4

        SHA256

        412cd001ad6f2df0f5695bec5758f1c9ea9b12b6a665121d044ada2ca9b20fb9

        SHA512

        7e0d2d4df905854e6661b8c683d5cdb08e7e8df641349089c5a128de8d71f2d6cf705369222124a273c61c183f3f35f4355a2656ca266772d4c9f5117ba27698

        Download Submit

      • C:\ProgramData\A7D4.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        212KB

        MD5

        ea20f059b1a613b7412910367e9b3aa1

        SHA1

        819f47ae78bf28306cb27a6c32549d04ef8cd6ec

        SHA256

        b502b656cc70b3d923719bdf9d8b1b80427e5fbc0cf531a69677769c5eaef1e9

        SHA512

        86210205245b8e107ffe1426f641e6fb791da08befdb194d1e6bd8886d16af0e4273a4b5228ab2db584cba21b4a605200e48a5f5f9002fd1cd56b7ae5875bf06

        Download Submit

      • C:\Users\BfUuixlUp.README.txt
        Filesize

        2KB

        MD5

        c0238513ed89d17f3f08c1cf1d809035

        SHA1

        eee75fae29077844513810c0e56da0f293e490e3

        SHA256

        e35c11b6936b8be3e3daba5f9f7234e4710449d8a9505f0d47bb2e5cb858d99e

        SHA512

        f097ee7ce68ff56eb8b0442ccc1b705845eb6c54783944aef7511a0741e4d102afc1d1aeecb55db295eb8b687a45868747bcff829b60705cb03aee4ba041b7cf

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        9f2a484eb25e42b6f301487b01297f57

        SHA1

        d46e17fb2e0faa270749ff6069f5902f2d10c698

        SHA256

        ceb2a8684c68de00d4b1c2ce0c71235acb1028f3990af1305ccda569885419e9

        SHA512

        0f8652d5469218cb23655eac2a09df9c5002e5eec39efd052845c91377c04a206df0a33c8129e52df2a10adb1d09012b8a2279ce509598fdaa0188af4e63ef6d

        Download Submit

      • memory/4216-333-0x00000000024D0000-0x00000000024E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4216-335-0x000000007FE20000-0x000000007FE21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4216-369-0x00000000024D0000-0x00000000024E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4216-368-0x00000000024D0000-0x00000000024E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4216-367-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4216-334-0x00000000024D0000-0x00000000024E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4216-332-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4216-337-0x000000007FE40000-0x000000007FE41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4216-336-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5012-330-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-329-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-321-0x0000000002520000-0x0000000002620000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5012-3-0x0000000000400000-0x00000000022DD000-memory.dmp

        Filesize

        30.9MB

        Download

      • memory/5012-331-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-323-0x0000000000400000-0x00000000022DD000-memory.dmp

        Filesize

        30.9MB

        Download

      • memory/5012-322-0x0000000004040000-0x0000000004069000-memory.dmp

        Filesize

        164KB

        Download

      • memory/5012-5-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-320-0x0000000000400000-0x00000000022DD000-memory.dmp

        Filesize

        30.9MB

        Download

      • memory/5012-6-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-338-0x0000000000400000-0x00000000022DD000-memory.dmp

        Filesize

        30.9MB

        Download

      • memory/5012-2-0x0000000004040000-0x0000000004069000-memory.dmp

        Filesize

        164KB

        Download

      • memory/5012-254-0x0000000000400000-0x00000000022DD000-memory.dmp

        Filesize

        30.9MB

        Download

      • memory/5012-4-0x0000000004290000-0x00000000042A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-1-0x0000000002520000-0x0000000002620000-memory.dmp

        Filesize

        1024KB

        Download