Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
Ransom.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Ransom.exe
Resource
win10v2004-20240426-en
General
-
Target
Ransom.exe
-
Size
376KB
-
MD5
120c6ddfc24274b6e2e3a1ba7dc519ab
-
SHA1
29936b1aa952a89905bf0f7b7053515fd72d8c5c
-
SHA256
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
-
SHA512
dd9b2fb6cd5f6f044daa80ef634078849032ebbdbd1d293bb7bcb0270aa8b7360c39addb0826c7a3ddc8714b559bf8828e8e506ac91bcb4702a72f4c8ec4850a
-
SSDEEP
6144:KFtgKBIxGS/bbWGGJK8PpzR1WpOJOQMeEBwhUg5bBDNPbsP/qrscpyj4CVKSkn:+tgKIxfbbezR1WpOJJMjihU030/qRMra
Malware Config
Extracted
F:\$RECYCLE.BIN\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Ransom.exe File opened (read-only) \??\S: Ransom.exe File opened (read-only) \??\W: Ransom.exe File opened (read-only) \??\E: Ransom.exe File opened (read-only) \??\B: Ransom.exe File opened (read-only) \??\P: Ransom.exe File opened (read-only) \??\M: Ransom.exe File opened (read-only) \??\N: Ransom.exe File opened (read-only) \??\I: Ransom.exe File opened (read-only) \??\J: Ransom.exe File opened (read-only) \??\L: Ransom.exe File opened (read-only) \??\O: Ransom.exe File opened (read-only) \??\Q: Ransom.exe File opened (read-only) \??\T: Ransom.exe File opened (read-only) \??\D: Ransom.exe File opened (read-only) \??\H: Ransom.exe File opened (read-only) \??\X: Ransom.exe File opened (read-only) \??\Z: Ransom.exe File opened (read-only) \??\U: Ransom.exe File opened (read-only) \??\V: Ransom.exe File opened (read-only) \??\K: Ransom.exe File opened (read-only) \??\Y: Ransom.exe File opened (read-only) \??\A: Ransom.exe File opened (read-only) \??\G: Ransom.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099151.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml Ransom.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar Ransom.exe File opened for modification C:\Program Files\Mozilla Firefox\locale.ini Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers Ransom.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api Ransom.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF Ransom.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar Ransom.exe File opened for modification C:\Program Files\UpdateSplit.temp Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241037.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml Ransom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\HOW TO BACK FILES.txt Ransom.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\HEADER.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct Ransom.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF Ransom.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\HOW TO BACK FILES.txt Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar Ransom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2764 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 376 Ransom.exe 376 Ransom.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeDebugPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe Token: SeTakeOwnershipPrivilege 376 Ransom.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 376 wrote to memory of 2196 376 Ransom.exe 28 PID 376 wrote to memory of 2196 376 Ransom.exe 28 PID 376 wrote to memory of 2196 376 Ransom.exe 28 PID 376 wrote to memory of 2196 376 Ransom.exe 28 PID 376 wrote to memory of 3004 376 Ransom.exe 30 PID 376 wrote to memory of 3004 376 Ransom.exe 30 PID 376 wrote to memory of 3004 376 Ransom.exe 30 PID 376 wrote to memory of 3004 376 Ransom.exe 30 PID 376 wrote to memory of 2764 376 Ransom.exe 32 PID 376 wrote to memory of 2764 376 Ransom.exe 32 PID 376 wrote to memory of 2764 376 Ransom.exe 32 PID 376 wrote to memory of 2764 376 Ransom.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Ransom.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Ransom.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:2196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:3004
-
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
910B
MD59b1b0fa2db87c8f756cb724635976df4
SHA17fa33703f7d784b542701258e59264985b6fd673
SHA256e912541c26678d5b3dd756a29c60c9b05e512bade320631d06d8ab825905fc15
SHA512d371d8b00f8500b0e04106ea19346e5e9989ee7939746dd685d34245bd906352d47b74b7f4cfd41f2598da589a15d092e4e60ffc3dd8a7a9b477aa721681a986