Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/07/2024, 19:21

240709-x2s8ss1blj 10

09/07/2024, 19:14

240709-xxngrazhkp 10

03/07/2024, 09:01

240703-ky8g4awaja 10

Analysis

  • max time kernel
    220s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 19:14

General

  • Target

    ransom.exe

  • Size

    7.8MB

  • MD5

    648bd793d9e54fc2741e0ba10980c7de

  • SHA1

    f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90

  • SHA256

    102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

  • SHA512

    d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15

  • SSDEEP

    98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt

Ransom Note
Greetings. All your files have been encrypted by CyberVolk ransomware. Please never try to recover your files without decryption key which I give you after pay. They could be disappeared� You should follow my words. Pay $1000 BTC to below address. My telegram : @hacker7 Our Team : https://t.me/cubervolk We always welcome you and your payment.
URLs

https://t.me/cubervolk

Signatures

  • Renames multiple (867) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransom.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc

    Filesize

    141KB

    MD5

    326aa00827efe87c4fc21fadcf383387

    SHA1

    5f8d3ed904901c9b43fe237dc710fff6dac59b42

    SHA256

    e89a8368e3e63b3fa90cba24e754d50f694d699d4e28a14e0320f25f551f24a1

    SHA512

    fa814e969418881b4dd2b5482c0dee6295e9f1d41da396e427857c57ee02cffab90e93d9b1d589779da62aaa16dfe0384589faa25803e75d28192d2a2b356d21

  • C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt

    Filesize

    348B

    MD5

    ce7ff0a9361571a2dcb08f50500ace3f

    SHA1

    5d8bed459f55a37e2fcb801d04de337a01c5d623

    SHA256

    894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee

    SHA512

    bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

    Filesize

    1KB

    MD5

    ba8060a9ce8484b51b2ea02c12c4520a

    SHA1

    1e1c17f5290c22e229ebfbb0c2473c440fbe0125

    SHA256

    39f0bec1346f77f9874e6a288ff9a1309cf6b6bfb8f2a177834db6e22213de7d

    SHA512

    88df6b805a2c044354fc8bdbf213eb86393f50866ded28fbce3a4679d75e806d4066422d17913312619ce964fe79e7300b41c53efff1f1689b5924588126fb33

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WO2S841R\desktop.ini.cvenc

    Filesize

    1KB

    MD5

    504b24f5ea1cab7141f82ee82dbb5d1f

    SHA1

    165fada9525d3a2ded084328f85e437e727ffee9

    SHA256

    0b1f517dbcdbf963143b4500662faa423135cad48733ef5d602f650fe4be5686

    SHA512

    f0b99e4fcf65b0942b4d8168aa32a2d7893fda3bce2fe7ae5f5b52b0db917a0df0c5f38ca7fe0dfd6106dfb361ac0fbbbaf8823d5415f28d00cc3d6c1bdf3d1b

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc

    Filesize

    29KB

    MD5

    597ce1db6e199ad32df77db9420350d9

    SHA1

    574c5cb5f70c421e6bed9054edff4349ba62f874

    SHA256

    dd0bf04fa72d4451bf475d10f2d97306fc3f5bfb66be044bbe8b2efdf5ef5b53

    SHA512

    4e226157bec9cf6dc62fbb678543d368d16cc88c4bb2a5b1257d8adb87eee014d8f8a493644d648301162b9ef2dd904c2b6029c023d25e9d9af99b5b2e1cdebe

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9BYGROA\desktop.ini.cvenc

    Filesize

    1KB

    MD5

    cfb667372d4d1bb70186af67f5116f23

    SHA1

    6c80ad6f6f9ee375b656dca8cb91abefefb146b7

    SHA256

    22460d659105b5902582b8ec6eeb77d2e18eda77b9e36ea9e4c2c5f14735723b

    SHA512

    2d4cb0ea159c28f115548525ac40d77e8cbefe90d4f2f59f2527d80d11fb6ad66abe4208647ed35d6b9bf7d81c568c05682e97af21b75c5bcdef03419e51df50

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

    Filesize

    49KB

    MD5

    845b2000d0c9b30aa69cc6904068ed42

    SHA1

    b657fe27a45efbba26b72c5d2a73b3cf869256c5

    SHA256

    48c9b0702a6c3a5b7bbde9ce71d18852a1df2d384a9df4fa5219004e34dc92f4

    SHA512

    c6198a7b487b736e461ab843e7b24cd37590b074b575754d125414ca30be3e3910611cd2be2ea44cac13e05c42c1faf0e36e3a86bebb797445158a1d57fbfe18