Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
10/06/2024, 11:48
General
-
Target
VirusShare_99e83f42796e5390063243810c0629de.exe
-
Size
184KB
-
MD5
99e83f42796e5390063243810c0629de
-
SHA1
a97c9cdff2002fc328a933df1ae3bc67508814ee
-
SHA256
722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
-
SHA512
ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
SSDEEP
3072:jFIkQ7yjaILMvzovwBB82T/NyG86ry6BSTqQ+hvVdhCL9juDEDsj/RR:pjLMswHHQG86ry6BSGLVAjuv
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+REcovER+xfkps+.txt
http://i5ndw.titlecorta.at/6A4CE9A63B39ECC8
http://d34fa.lasmeio.com/6A4CE9A63B39ECC8
http://2gdb4.leoraorage.at/6A4CE9A63B39ECC8
http://k7tlx3ghr3m4n2tu.onion/6A4CE9A63B39ECC8
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+REcovER+xfkps+.html
http://i5ndw.titlecorta.at/6A4CE9A63B39ECC8</a>
http://d34fa.lasmeio.com/6A4CE9A63B39ECC8</a></a>
http://2gdb4.leoraorage.at/6A4CE9A63B39ECC8</a>
http://k7tlx3ghr3m4n2tu.onion/6A4CE9A63B39ECC8
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_99e83f42796e5390063243810c0629de.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_99e83f42796e5390063243810c0629de.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\qtwibv.exeC:\Users\Admin\Documents\qtwibv.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+REcovER+xfkps+.txt3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\+REcovER+xfkps+.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\qtwibv.exe >> NUL3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5dde5de1a00386ce9bb6c2e733b39ac6e
SHA1dcdbeb0f28be837808fe0b5bf15799bf5260e3e3
SHA256201902c491bada3554d39af4dd3bdd2afdabc3fb4960432f5b0e047eb901e1e6
SHA512019a9eb7f3dc6f1c31bc5f8096a4e530f832010e4be2a784a5c5d26850ed58775334b12b1d03c52a94f3dff3bdf503ce32ccf8a2155fa1a04fcccdf3de4f8e01
-
Filesize
83KB
MD5fada2da47236fe767ce28b51bef62a72
SHA10a232a2fa3f3323a75bd0d35b8e525a2e6d67215
SHA25695a88f2c95ed593bdc1d1f65fa6cb89e031381483da695db255d28b0f606c28d
SHA51206f43348afb698e0ecb415bab112b918f2184329c06391393bcd9bc6c41a4657480542e9ed8731cf1220e3e8d1a359751748b6949cea88e0e2299fe488eb23e1
-
Filesize
2KB
MD5b8f0d999a84e06dc92f252600d321a62
SHA1b52634cd7f1528106dba7d89fae8487d52a46f62
SHA256d93b3e990b6c671bcfaf2e7826ae01aefbc8d9a2fcb870f722eeeec096f4c6fe
SHA5127fdd5c0e80f4070c31245bff64278e62c7a1a82cfe0c9a3c6998c0c4fd4813b03b3e5943da0e7ca6f805f5278a6c73451e5b6a6465cef24cecbccca76d1542a1
-
Filesize
342B
MD53590963e2a14f15e64172933a4ba0368
SHA1858e959bd56a1e95f75b9095a2bae709e4a2dc84
SHA2562ddc73eb46e89aaf4ab7280055b2a61c0e54626b0d302f7c931b2d3f7591e8ca
SHA512bc4edeeb50dcebdb9b53a0f5e3d68f3bd2dc46d76748f40245785d5fff181c9eda3515b1e4bc0c14f15b2c07cc2eb7f7f44772138d73cae8bcd17187ce1399de
-
Filesize
342B
MD528136562b8c59620e3d7eb0a97dec8e2
SHA1d3668d541d609dc9dd34caf7bb6bc92a1b181a44
SHA25645cd25e761ad8d75e4fd76433969ac58be80d69eac9f56eae15f65b7280c5aa3
SHA51293927c46f4a69366caf341aeca7247f08838398fbead881fbff65a32b261767c1a4ffa91951e6bf611e87263aa3ccaa474147ec78e1bcd655fb02717cc7696e0
-
Filesize
342B
MD5f45a61433dcf1ff2a46ca5e08eb50793
SHA1873736b19bec3efb3d89ba7017d3183cd97369cd
SHA256f91c8326508747e75f400cc806c89a6ecf4a1fb9d5551994d7c54565c3885f5f
SHA5125f2626bb1ce35243e0863f14c8d73ca3468189053dcd759b4bc6485803c3c76b25825c5dd2507cca57d56e55432964a49f262164158077b8ad532bb25129e04a
-
Filesize
342B
MD53afd372c813739e19eea003f69b837f8
SHA191f13a413490732a5d1829b473cf035760108329
SHA2563ff2b150dd06aff8f69738e19b4b95815cfcff3b950415240e952e68dadfee80
SHA512e7a5a1097775fb4f69f6f63c6b73c50d6243a8b1f84abc6a4e2d1216145de617491564f4f1bea58bbdcc5ba634c321f03a6df7eda49a7f0c99b78cd8bb977869
-
Filesize
342B
MD53811549d4bcf9c350a2190bfd90189fb
SHA19aa687baac7c8f6a6f89d0afde03dbf5a762821a
SHA25613416de2d0268f9890cc7386e904fe2ee4cb8fcd6775f5f0e9413366b423bceb
SHA5126a088f7ac61ac89c4c633e3477c5a50b3e252a049454c63ba3d3e63ae7fa2b8dc909fba28cbbada26388eab2b3a8576ad1fedfb776b74301c0e79995ebbb8af7
-
Filesize
342B
MD5c8329707f9dc2826567a79f801994e6e
SHA1133dc88fddbb3179e9fde2792ee9c7018f54c854
SHA2564a8c60bcf1121501528472f508d7a3ad5141742b83798f978117942f7cd723a5
SHA512a274b9f87fd5d203e7e1282b442145b28e75e31d2863833bbb82419be8bb3d1c494f3977072c072b3493feba07f98d3025e02ed802eec0595d51cddf50a7b242
-
Filesize
342B
MD5580eb5b4e11ac34bc7332720513f3b58
SHA12b80dbfd9419bb584b0424c2c945e215b97c04e5
SHA25615b7ccac84959df0abad72eb330f88e7b27d07960fd1b4fb8d81082f12d57fd5
SHA5129cd5a555d058d466724f83cac8e029bbbf9b0c4288cbb0ceabd52afdb281b86b42169db10f4d659cb330ec670736f49157db0dc1021bd82a429560278fde9f40
-
Filesize
342B
MD5066e51df1f483d18b215ea2bd0475662
SHA12eeb99607abc7c30a6cadf400ccc4c7a877e133c
SHA256c7bb80a0e3d397ceb65f92e4c43400df073bdbc180479c74b087059004fd3b37
SHA512480368895b38891c0047e492956d7ca6d7180fcf7beb7ea079982ffd679c8eb3fa7e1fdc69bfe30b42615f9585a59c7a1194169b24956fb02d5130d896402449
-
Filesize
342B
MD50e639172a3485a4b76a5c2cb7a0b945f
SHA1a632a81416d32b3af8f4deb0290a6b64a3afaa57
SHA256602e1d4906e57bad98adb639f3feef4468eb57e4eae08f3817e8966e5fc24335
SHA51280f5959cadac69a473e124a0c8034e37b1cd37c6fecd2d1c77a59176a1289cff1e2712cd318a37e56b383bd3f45d0577b6befe58d4a6967fda951e63d4637fc9
-
Filesize
342B
MD59ec74099b4f79338978f005b309859af
SHA1442a511e6201f70dbeb7aa316737b0d55901a997
SHA256af9047d14f73bce4d6241a4cf9eeda38c66cb95e6de239b98c2734933222dd7c
SHA512adb85ca10ff6bc870fa8bab4f95af7836fd73d775b0f736ef44212869557e20890d74d4f46724398db9bd7f16707ea710047213b955f64acdacb151ea5876c50
-
Filesize
342B
MD51416f825826ee18f8303639e2c20d33d
SHA1543293f3dcba2e48591362c08f37cbe3a6b80af9
SHA256aaf187ea45992d3426b27686465803b5b3e79cad3b517d4752fd3e09f763b010
SHA51239c3ffe362a33a1d1031a251af4faf261a8ac1a431fe1a7883e5596e0b0ee9b9fb9acf4a9eeaa516a2e330c5c73a7e46d2dd0d18241a9fe8a9f061fd9f3e3e52
-
Filesize
342B
MD5d50ab5242ef8fe88236ce3f6b9a5bae9
SHA1238722e005962f45457fa070a695132b320a0fda
SHA256a6367e9f345408b882d7b804c890d5f10064c3d7521c910fa198baa2a65028d1
SHA5125871cc48c861191c8495c6dc24c9abae2b1aa5577e6fb305b06d212529af37cd0ab7d634f4fdafc08f8983bfa4a48cf9ba5190d5a9d8152b110eb66241c183ea
-
Filesize
342B
MD50c04c9b6111a89d54208abb1380ad9de
SHA18b7c43a92669346e07a34c890073d366e3332057
SHA2565de1a30d758aeee2147b21417f6945f87defe5a06a509d57c886c3a235281333
SHA512923c3756f98ac8079374a61d6ae9981ed5680e4a9b9ff2f02af32d6264a4483c218516c5249749333bcdfabe1ab4723929334760cdeb00cd0a1fabb6fa833a6a
-
Filesize
342B
MD52c92194bedf889d68a0906be3af2b6dc
SHA17de6e624ae2e53f09502ebb39fdf27d4744be006
SHA256fea2c5242caa11c88f7fcfed14fd86543056f7b5fc541eb5d751a15267057a79
SHA5127d3eca84ee607b3b3bc308c7b205a6e04f61520cbf0c87f86cbb3ca152c478c0456c3fbb5c88d01e8ef9b6742182568552eb916c0d626b5f0c640851e2b807b1
-
Filesize
342B
MD508beb2687a4aa1ebc6ea931d18bba173
SHA194bdf6d142ed2ee06b43500383f9d7d283f49582
SHA256b16c483d2836a19b9b7eb9a515cbb6b92a7da83b3ad0b52b3053dcc79321035c
SHA512d509d96c87203a7c3ec07eb0ff69aad6826d46199004bf14764ab4be8b500528a8e5f6c7c10ec4d321a958b60960d40cb4a054f2565a8c9d5dd7ad3d48931e96
-
Filesize
342B
MD5b6d2635748aa19e16c3789617acb3481
SHA16ddc2ca4dd10700e205ba4b320db009899354975
SHA2563e2922f3806ea9f7fea54258d115abb0e8440859a933f98d7d1c11d6fcc69270
SHA5129b508385f1a1346e7c6f854b2a8f2ddbcbc5fe405f09a7c986368eaf24641624114b717a90a974b13a53bb78e2dcb9d55084da6a6abdeef75d0a55b764dfabb4
-
Filesize
342B
MD548255fda70ab91fe9c5fb40a4efd101b
SHA163cba295c253a87f4a7897cc2005662786284eba
SHA25656ad4bf1455c9762426bfd7951ef24962a32ffb426dd4b42b456b6eddb2d1b54
SHA51264bb8862da746d401e61f50cc0ad37a02ca1a5a596770de3766c931d5152ec0fbc7016ab384119ddaebeee6c59febe27460729a8909394e79d45f64521e1c67e
-
Filesize
342B
MD59a4331278446a4a530b4515dbe6e2d86
SHA1b4be35bb68fd689a57966e5db6b682ef35628722
SHA256504cd4bb5743bc1565bd5154912ca977c1994902cb01fb2520a071804b154bc5
SHA512351b689cb60bdb43629a5a7decc887862129efcef000d8ffb03bed27a3a311dfb9d647b01be2af75fd0f698174f5c03ac749cdd7c547fb448c2fa596afb1c542
-
Filesize
342B
MD588ff3d3a2ad5dbff3de46cfcec525afa
SHA1e9a7b0b23795bdac37d1de6ddc7267b1aaf2a0ab
SHA256c6abaaa77527e5784c02c9439fdac0b1bc1096bb85c31dcd01b7bc7a927bbb65
SHA5129f35ffba475c2cfc8f037c654b89640db73ae0144ae9aec023bd9f5c737ea9ba3328e7a7209f889e85d8216ffd83b384ab900da776b12f23ff2952e11c0faa22
-
Filesize
342B
MD5bd100ea5e961eef99d44c5960a4e4401
SHA12c71c502ae24a0ade78bc7df14531f8c4fa11701
SHA256a801801892df44498e35272775774ee3cc4676ba9a2d0295c3851bf877d22e00
SHA51204cb27f8dfaad7b9afc1a362a6cb5913d9a864b75a0efdb388c16ab0d5d3bd98f16f35766b177e28f89f89b4797e5a1455adc7763901201c2900676c1486b455
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
338KB
MD5de32498d4ccbd96a8957b31d3183a9cd
SHA126c6613d21afea4b60a697e8c5fe61c7822c8845
SHA256d30a54c21d220a2563f750a976c72ec846367df7fa0d338a994222ce5aaeaf50
SHA512d4860efb7d8da2bf3e27afd25db7343409efe9bb23123a686f03eda684a0478165623e743d81d9bbe4fe4b598ecc19ad18142ba9251126209af0e07672acf21e
-
Filesize
184KB
MD599e83f42796e5390063243810c0629de
SHA1a97c9cdff2002fc328a933df1ae3bc67508814ee
SHA256722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
SHA512ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
8KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
