Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/04/2024, 05:22
240418-f2z8nscc74 1018/04/2024, 05:22
240418-f2njwade8w 1018/04/2024, 05:21
240418-f2gfkade8s 718/04/2024, 05:21
240418-f2csdacc53 1018/04/2024, 05:21
240418-f2b6vade7x 7Analysis
-
max time kernel
1190s -
max time network
1179s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/04/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Resource
win11-20240412-en
General
-
Target
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
-
Size
371KB
-
MD5
bb8cd5df2be7e8bcc5be439675b3d0a2
-
SHA1
627ac60f64974d5caaf81c2de8ca0977c91f4219
-
SHA256
d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a
-
SHA512
57031eb7d7b2c27d7ecacdc085d07065ced46a742128f9818f62c9fe6633c31aa8eb20ffc52c8415613787946060f5a6b5adf8b977d5ca4fed9656233ebd9cfa
-
SSDEEP
6144:tnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLvLRXdYX9ji+uhi2PsrhY:hzQnkM1oSiBGI8bxn5m6i+uo20tY
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a84e2c2d-ea14-4dcc-a0d8-a658f104bdd8}\_DECRYPT_INFO_jaqfd.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\O2S29HYF\_DECRYPT_INFO_jaqfd.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\_DECRYPT_INFO_jaqfd.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (228) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral4/memory/4748-37-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral4/memory/4748-41-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral4/memory/4748-42-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2636 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 572 vssvc.exe Token: SeRestorePrivilege 572 vssvc.exe Token: SeAuditPrivilege 572 vssvc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4748 wrote to memory of 2680 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 81 PID 4748 wrote to memory of 2680 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 81 PID 4748 wrote to memory of 2636 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 85 PID 4748 wrote to memory of 2636 4748 d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2636
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\_DECRYPT_INFO_jaqfd.html
Filesize12KB
MD53bec926e65c92eda657aa9ebcf3ab700
SHA18fa640a251d23633ab71fc0c522686777e8fd43e
SHA25686b538c34b21b64b80638e345d39e7d6cd6abc1c850907d2a4cb9972c47a614d
SHA5123ceb3673c4f219ff13342c4521c08a4bcaf700b6dddccba5a32e9046041efe59e3b48e7389f2c7b299e3ee02dbfeead512e41874bfd3573a57b9f62f876202eb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\O2S29HYF\_DECRYPT_INFO_jaqfd.html
Filesize12KB
MD5661133d03ca4fa56013ec8800fce590d
SHA1b0c6e376c52399491e8a8f1168c59a451e6873a3
SHA2561b24b286fc95dbcdd0c96bef30c69006164e9a01ead0189db7f5178314066d64
SHA512fb8576cbc5621941c5dd70d7b3d565bcc480bb54505d6bfb0270f8fafbd4166fcda6cf5c6a735d4a1bf2497901e7a54f77d1d1b410290bd34ea97c903967239b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a84e2c2d-ea14-4dcc-a0d8-a658f104bdd8}\_DECRYPT_INFO_jaqfd.html
Filesize12KB
MD59c8e7f06001242f8a3e52e2b5852a7c6
SHA1687bd023b5dbf87c451ac7ebe1687530d775ed0c
SHA2560e5a4ad62e9c597da841c6a15f90b8f1cbe48b1e456caa52c1b529d1a9574337
SHA51214baaebf4c322c25fdc07817023303d462402fff5431cf954d1e860f5b589a7595468e03f450be4f60c43bd8cd160ec02a6375bc311feeff2b216083149fc211
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf
Filesize4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d