Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/07/2024, 19:21
240709-x2s8ss1blj 1009/07/2024, 19:14
240709-xxngrazhkp 1003/07/2024, 09:01
240703-ky8g4awaja 10Analysis
-
max time kernel
220s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
ransom.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ransom.exe
Resource
win10v2004-20240709-en
General
-
Target
ransom.exe
-
Size
7.8MB
-
MD5
648bd793d9e54fc2741e0ba10980c7de
-
SHA1
f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
-
SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
-
SHA512
d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15
-
SSDEEP
98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt
https://t.me/cubervolk
Signatures
-
Renames multiple (867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt ransom.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YENRJGC\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3C7OXK4\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ALUNAOYI\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKJVEZVY\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9BYGROA\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransom.exe File opened for modification C:\Users\Public\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GGQPDAP3\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WO2S841R\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini ransom.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\t: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\j: ransom.exe File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\x: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\b: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\u: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
Filesize141KB
MD5326aa00827efe87c4fc21fadcf383387
SHA15f8d3ed904901c9b43fe237dc710fff6dac59b42
SHA256e89a8368e3e63b3fa90cba24e754d50f694d699d4e28a14e0320f25f551f24a1
SHA512fa814e969418881b4dd2b5482c0dee6295e9f1d41da396e427857c57ee02cffab90e93d9b1d589779da62aaa16dfe0384589faa25803e75d28192d2a2b356d21
-
Filesize
348B
MD5ce7ff0a9361571a2dcb08f50500ace3f
SHA15d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a
-
Filesize
1KB
MD5ba8060a9ce8484b51b2ea02c12c4520a
SHA11e1c17f5290c22e229ebfbb0c2473c440fbe0125
SHA25639f0bec1346f77f9874e6a288ff9a1309cf6b6bfb8f2a177834db6e22213de7d
SHA51288df6b805a2c044354fc8bdbf213eb86393f50866ded28fbce3a4679d75e806d4066422d17913312619ce964fe79e7300b41c53efff1f1689b5924588126fb33
-
Filesize
1KB
MD5504b24f5ea1cab7141f82ee82dbb5d1f
SHA1165fada9525d3a2ded084328f85e437e727ffee9
SHA2560b1f517dbcdbf963143b4500662faa423135cad48733ef5d602f650fe4be5686
SHA512f0b99e4fcf65b0942b4d8168aa32a2d7893fda3bce2fe7ae5f5b52b0db917a0df0c5f38ca7fe0dfd6106dfb361ac0fbbbaf8823d5415f28d00cc3d6c1bdf3d1b
-
Filesize
29KB
MD5597ce1db6e199ad32df77db9420350d9
SHA1574c5cb5f70c421e6bed9054edff4349ba62f874
SHA256dd0bf04fa72d4451bf475d10f2d97306fc3f5bfb66be044bbe8b2efdf5ef5b53
SHA5124e226157bec9cf6dc62fbb678543d368d16cc88c4bb2a5b1257d8adb87eee014d8f8a493644d648301162b9ef2dd904c2b6029c023d25e9d9af99b5b2e1cdebe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9BYGROA\desktop.ini.cvenc
Filesize1KB
MD5cfb667372d4d1bb70186af67f5116f23
SHA16c80ad6f6f9ee375b656dca8cb91abefefb146b7
SHA25622460d659105b5902582b8ec6eeb77d2e18eda77b9e36ea9e4c2c5f14735723b
SHA5122d4cb0ea159c28f115548525ac40d77e8cbefe90d4f2f59f2527d80d11fb6ad66abe4208647ed35d6b9bf7d81c568c05682e97af21b75c5bcdef03419e51df50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
Filesize49KB
MD5845b2000d0c9b30aa69cc6904068ed42
SHA1b657fe27a45efbba26b72c5d2a73b3cf869256c5
SHA25648c9b0702a6c3a5b7bbde9ce71d18852a1df2d384a9df4fa5219004e34dc92f4
SHA512c6198a7b487b736e461ab843e7b24cd37590b074b575754d125414ca30be3e3910611cd2be2ea44cac13e05c42c1faf0e36e3a86bebb797445158a1d57fbfe18