Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/04/2024, 05:22
240418-f2z8nscc74 1018/04/2024, 05:22
240418-f2njwade8w 1018/04/2024, 05:21
240418-f2gfkade8s 718/04/2024, 05:21
240418-f2csdacc53 1018/04/2024, 05:21
240418-f2b6vade7x 7Analysis
-
max time kernel
590s -
max time network
523s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/04/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win11-20240412-en
General
-
Target
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
-
Size
371KB
-
MD5
bb8cd5df2be7e8bcc5be439675b3d0a2
-
SHA1
627ac60f64974d5caaf81c2de8ca0977c91f4219
-
SHA256
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a
-
SHA512
57031eb7d7b2c27d7ecacdc085d07065ced46a742128f9818f62c9fe6633c31aa8eb20ffc52c8415613787946060f5a6b5adf8b977d5ca4fed9656233ebd9cfa
-
SSDEEP
6144:tnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLvLRXdYX9ji+uhi2PsrhY:hzQnkM1oSiBGI8bxn5m6i+uo20tY
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c935c582-a3cb-4be7-a06a-d34e1d079df6}\_DECRYPT_INFO_hrrqu.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\_DECRYPT_INFO_hrrqu.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (218) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral4/memory/4124-52-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral4/memory/4124-55-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral4/memory/4124-56-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2800 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4396 vssvc.exe Token: SeRestorePrivilege 4396 vssvc.exe Token: SeAuditPrivilege 4396 vssvc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4124 wrote to memory of 2476 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 81 PID 4124 wrote to memory of 2476 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 81 PID 4124 wrote to memory of 2800 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 85 PID 4124 wrote to memory of 2800 4124 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2800
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD59ffda6625da5584768178e2aea27d29c
SHA101abcd45495357ca36840810b61dc022d3e6c0f0
SHA2564bf521fa5e6a6c7767e55834f321d45f0eef4fddfdce5277c7da5884b5661018
SHA512688960bf099b19cfb4dfca1b90882c272dd8984bf8d5ede4c201662ec2097e081c3772be5ca43911d54feee40f776c1e12d3909a9b7c5379bf11d00021d2af17
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c935c582-a3cb-4be7-a06a-d34e1d079df6}\_DECRYPT_INFO_hrrqu.html
Filesize12KB
MD5c8fb1a46097710d24dcf93b794c84530
SHA18b0aa653aadb0b3fd38724ba7ac4fc5bf5b72761
SHA256bbcee717afb7760dde289d04c81d71609823b1937735287ae01056b6833f8837
SHA5127afadc1b3e64b444e238dab9c92b0d08531bcd3167be051a3a88dc7d62a9e2af2906254c3cf63806fbc3fc4f215d7edb175094d2d4e0873606d3184ed47fbe16
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf
Filesize4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d