Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/04/2024, 11:18
240418-ned1xsbd66 1018/04/2024, 11:18
240418-nea92abd64 1018/04/2024, 11:18
240418-neay9scf7z 1018/04/2024, 11:18
240418-neacqscf7y 718/04/2024, 11:18
240418-nd92zacf7x 718/04/2024, 09:59
240418-lz5chaba8t 7Analysis
-
max time kernel
595s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10-20240319-en
Behavioral task
behavioral4
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win11-20240412-en
General
-
Target
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
-
Size
371KB
-
MD5
eafe645b56c3f5cb746fb5f8504f6035
-
SHA1
f539987de9fe59bff20483ac7a124afafc27036b
-
SHA256
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94
-
SHA512
61af2cfa960a72b66d54d0ee121acb5c54d455b05eb85fb2d7df2958d3134d348c87a5aef2aa46319532407f7ebf01eaedfb8dd889bb0f67ce5edc067445e806
-
SSDEEP
6144:hnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLv3RXdYX9ji+uhi2PsrhY:dzQnkM1oSiBGI8bxn5W6i+uo20tY
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae54cee-4e53-4f2c-ba02-98fdc815aead}\_DECRYPT_INFO_hpfqkh.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\_DECRYPT_INFO_hpfqkh.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\_DECRYPT_INFO_hpfqkh.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral4/memory/3076-47-0x0000000003A60000-0x0000000003A68000-memory.dmp acprotect behavioral4/memory/3076-51-0x0000000003A60000-0x0000000003A68000-memory.dmp acprotect behavioral4/memory/3076-50-0x0000000003A60000-0x0000000003A68000-memory.dmp acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5084 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1356 WINWORD.EXE 1356 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2712 vssvc.exe Token: SeRestorePrivilege 2712 vssvc.exe Token: SeAuditPrivilege 2712 vssvc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3076 wrote to memory of 1356 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 96 PID 3076 wrote to memory of 1356 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 96 PID 3076 wrote to memory of 5084 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 109 PID 3076 wrote to memory of 5084 3076 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 109 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1384
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD522a4a216df4133e20dc08f2d3ea4502a
SHA12740d03ea4de64d0852bcff9642fd3bfa14a7fe1
SHA256788738a0476c256f99a3bc341d79ce5a23b10959f066b39f1cdec7715ed8bb42
SHA5124f04c11c21cd8cb9811ea04344decf115a6cfe51a37ab6e1ad3ca04feabf5347d6510d3b13b53f435c497d207d1daaebaa118f8c468a76411dd88327846b5a32
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{13e2622c-ee51-431b-b9da-2b7a5448ade0}\0.1.filtertrie.intermediate.txt.hpfqkh
Filesize48B
MD5b44a451048f514c889686321941785de
SHA16fc6756921d91682319e938e5948aeed77fc8b9b
SHA2568f655a639555dc5b80e883ae5b078eb71c0e392847780715df64218edd4b68ed
SHA512ca50cb9c82d9f049f07e1fc324cfd7926225aadca7d6f1a1e3fdd38e84bb02d00b8775c062497bfd350f59001d40e342c4bc0f6ac92ca158407991cb1a30d5d5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3ae54cee-4e53-4f2c-ba02-98fdc815aead}\_DECRYPT_INFO_hpfqkh.html
Filesize12KB
MD5b86f43b2df9646e99f7075e97f5d9288
SHA1852a39df1e0cab1dbfcf1563c101b576cb00c7db
SHA2564c8e37a22750c0695a1c77d01ab4214c115ba3d4061b05601b14cc6547b22680
SHA5129a8eba7d36d255a7fef8174a9f957da9bad77cc93445007e4b7e6033665af5ec6e18ffef71573cc7e005ac500eaac9407969c19140880c623e640caf56e67dc2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1f2851-ffca-4750-ab86-7885527899b0}\0.2.filtertrie.intermediate.txt.hpfqkh
Filesize48B
MD55fa58c41f4908f44397b28efd566e442
SHA1a5227be37c47a58eee0a958947f43ed61392df72
SHA256ad0537689da56d6fa71a34c198cc2a04163ba5dc7d85d8940bc272d9844c892b
SHA5125e302ef46c5d3e4b64b5361874a7812ba995a5c89174631690eff20b92be8e4b9131c2d74121187d208a5c41e977a10b0d430801f51c45a8c76965fec3aa719c
-
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf
Filesize4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d
-
Filesize
12KB
MD53024997a92f4fc1adfd58fe2ce534b1b
SHA1b28de2095cdca4340947696df81928e0f1c9820f
SHA25630083ff1dc868e3ac67610ce9d3ec4d53f9da61005c5a7d616cee9f1f8358701
SHA5121cc39d250a9fdbeb43a93fb129235b6bf96d143652e017fc365812da441ecaf746ce89120f15df2e14541a040a589e67aa0526d0fd1d336a0221f7aaf1b58ebe