Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/04/2024, 10:50

240415-mxdmfacf29 10

15/04/2024, 07:11

240415-hzw5cahc99 10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 07:11

General

  • Target

    1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe

  • Size

    767KB

  • MD5

    ae2f422a1ca6558ca6dd723c1b351b7a

  • SHA1

    eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad

  • SHA256

    1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda

  • SHA512

    30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3

  • SSDEEP

    12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ks:WnsJ39LyjbJkQFMhmC+6GD9R

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\Readme.txt

Ransom Note
Attention Tax payer: All Your files have been locked with ransomware by law enforcement for violating cyber laws. All of your important documents, photos, and videos have been encrypted and cannot be accessed without a decryption key. This is a serious offense and you must pay a fine to unlock your files. To unlock your files, follow these instructions: 1. Contact us on telegram = @Lawinfo19 2. We will tell about you problem 3. You need us to pay a amount for your criminal activity 4. Use the decryption key to unlock your files. If you fail to comply with these instructions, the fine will increase and your files will be permanently deleted. Do not attempt to remove the ransomware or tamper with your files. Any attempts to do so will result in the permanent loss of your data. We understand the inconvenience this may cause, but it is necessary to ensure that cyber laws are not violated. We apologize for any inconvenience and hope to resolve this matter as soon as possible. Sincerely, Law Enforcement

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (456) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
    "C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Runtime Broker.exe
        "C:\Users\Admin\AppData\Local\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Sets desktop wallpaper using registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:292
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1268
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1768
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2380
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:448
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:1300
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        PID:2488
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2120
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1332
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:320
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe

        Filesize

        767KB

        MD5

        ae2f422a1ca6558ca6dd723c1b351b7a

        SHA1

        eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad

        SHA256

        1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda

        SHA512

        30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3

      • C:\Users\Admin\Contacts\Readme.txt

        Filesize

        1KB

        MD5

        4e5afc973a7d062342a5020e33bf85dc

        SHA1

        345fbfd0fcad94b2975021c802f5345cce10e037

        SHA256

        ce82cff28fa692ed34a2e9076641f2097248412ac990fd1fe59fc1ae6cda7401

        SHA512

        e41f9fb8ce570fdb5b6fe213f9774f639d156f43a10ba18c0c90f528956f8ca1677b9663930132242751bcf26174eaedeb909779c1f4e521b00468647904e5a5

      • \Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe

        Filesize

        22KB

        MD5

        c664f5be59fb3a17761dd2ada9eef228

        SHA1

        1f32c2b1aa103c73c9fb9624e53318d5bc8d60f1

        SHA256

        2a567c61c401c4fd6f7a4ae88265d7a0dbd0c14fdcc116f8c5d98da6022066ec

        SHA512

        c24a25237d009715f3b98fdf4489af8a484ab93091dbbd6ab1815946c9af24cff3f026bb3e7bff969348621cc82769b7fd1dde5bdbaba14768b229cac85b2259

      • memory/292-45-0x0000000000340000-0x000000000034C000-memory.dmp

        Filesize

        48KB

      • memory/292-1140-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB

      • memory/292-48-0x000000001AFE0000-0x000000001B060000-memory.dmp

        Filesize

        512KB

      • memory/292-47-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB

      • memory/1500-226-0x00000000726AD000-0x00000000726B8000-memory.dmp

        Filesize

        44KB

      • memory/1500-428-0x00000000726AD000-0x00000000726B8000-memory.dmp

        Filesize

        44KB

      • memory/1500-416-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1500-212-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1888-26-0x0000000000400000-0x00000000004C6000-memory.dmp

        Filesize

        792KB

      • memory/1888-0-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2488-38-0x0000000000B30000-0x0000000000B3C000-memory.dmp

        Filesize

        48KB

      • memory/2488-39-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB

      • memory/2488-1143-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB

      • memory/2544-30-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2544-1141-0x0000000000400000-0x00000000004C6000-memory.dmp

        Filesize

        792KB

      • memory/2544-1142-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2544-1180-0x0000000000400000-0x00000000004C6000-memory.dmp

        Filesize

        792KB

      • memory/2556-25-0x00000000011C0000-0x00000000011CC000-memory.dmp

        Filesize

        48KB

      • memory/2556-46-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB

      • memory/2556-27-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

        Filesize

        9.9MB