Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/04/2024, 11:18
240418-ned1xsbd66 1018/04/2024, 11:18
240418-nea92abd64 1018/04/2024, 11:18
240418-neay9scf7z 1018/04/2024, 11:18
240418-neacqscf7y 718/04/2024, 11:18
240418-nd92zacf7x 718/04/2024, 09:59
240418-lz5chaba8t 7Analysis
-
max time kernel
1791s -
max time network
1453s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2024, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Resource
win11-20240412-en
General
-
Target
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
-
Size
371KB
-
MD5
eafe645b56c3f5cb746fb5f8504f6035
-
SHA1
f539987de9fe59bff20483ac7a124afafc27036b
-
SHA256
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94
-
SHA512
61af2cfa960a72b66d54d0ee121acb5c54d455b05eb85fb2d7df2958d3134d348c87a5aef2aa46319532407f7ebf01eaedfb8dd889bb0f67ce5edc067445e806
-
SSDEEP
6144:hnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLv3RXdYX9ji+uhi2PsrhY:dzQnkM1oSiBGI8bxn5W6i+uo20tY
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a05573ae-d3c0-418f-a23f-d5b7ab07c879}\_DECRYPT_INFO_kqhnjl.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\_DECRYPT_INFO_kqhnjl.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (228) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral5/memory/1112-53-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral5/memory/1112-56-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect behavioral5/memory/1112-59-0x0000000003B00000-0x0000000003B08000-memory.dmp acprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3508 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2888 WINWORD.EXE 2888 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2856 vssvc.exe Token: SeRestorePrivilege 2856 vssvc.exe Token: SeAuditPrivilege 2856 vssvc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE 2888 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2888 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 77 PID 1112 wrote to memory of 2888 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 77 PID 1112 wrote to memory of 3508 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 81 PID 1112 wrote to memory of 3508 1112 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe 81 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3508
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5e64d379fbb21da53f2fad9f4b7e5c8d8
SHA195807fdafb9df6c923b36ee43874953677cd4150
SHA2567a26673ccc6623361c3aa9264126935eecc0ebba3439dba71bfbf0d5254122d1
SHA5127bf8872cfbfb06eecb951006a2143dc70d4d9d1e257760636fe8782c76a20d0a285e571c5c63934f0b917e70d04f81d9d82d7c38f401d1ff96f04d50edee874a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a05573ae-d3c0-418f-a23f-d5b7ab07c879}\_DECRYPT_INFO_kqhnjl.html
Filesize12KB
MD5415b9dd17fff266a35ca0d6dd3f9896e
SHA1925828ae6d4c41f7bfcb1d53c3a1041a1d6e8663
SHA256a8d7745822e2df074eac3de28c04bdf709b9941c6bf4c3d70ecee0226fe37426
SHA512aad3259b3e637a9fd69fc91aa98caf9e3f44d09ed54836d81be237365272c00e21ec04db53e2aac837aafa05935799bf90c1a94a109d365bc877ca8e36b44158
-
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf
Filesize4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e