Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/07/2024, 19:21
240709-x2s8ss1blj 1009/07/2024, 19:14
240709-xxngrazhkp 1003/07/2024, 09:01
240703-ky8g4awaja 10Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
ransom.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ransom.exe
Resource
win10v2004-20240709-en
General
-
Target
ransom.exe
-
Size
7.8MB
-
MD5
648bd793d9e54fc2741e0ba10980c7de
-
SHA1
f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
-
SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
-
SHA512
d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15
-
SSDEEP
98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt
https://t.me/cubervolk
Signatures
-
Renames multiple (1667) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini ransom.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\u: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\t: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\b: ransom.exe File opened (read-only) \??\j: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\x: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe -
Kills process with taskkill 1 IoCs
pid Process 4220 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4220 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3708 ransom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransom.exe"C:\Users\Admin\AppData\Local\Temp\ransom.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
PID:3708
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM ransom.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348B
MD5ce7ff0a9361571a2dcb08f50500ace3f
SHA15d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.cvenc
Filesize37KB
MD51486522a6b1fa8690c9fdf57af2c3c52
SHA137c4aebe485d8f99252b5ca471f47dfef978c087
SHA2561ba41e9ef08b8f27aece113faa167283f8445043a745c6352b18ea899d1fc087
SHA5129b112e2b7d9954a4e4c0e3e4fbddf31028d739f7dc59511bbfc747be463c55c6f6679976edf41066a446339bef596911411eee40f55de79187847c2877e2c1e9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.cvenc
Filesize37KB
MD513e3e05b9a7e010d5a722fbadffbbf42
SHA18023caecda04f62529d3a8625b9ad090d66b657a
SHA256c4b054ebf2132016e3f8209ce0615b1525bfed7368ef7c879abc1984c25722c1
SHA5128b0b2425db041698c162ff70489885032f305ec2e29bd5e0008394446c8c9c2702fc5fb76b4772e59dc9d6e153be7cbbe7a96b21a83a1128bff6d621957ed584
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.cvenc
Filesize37KB
MD5d8d548e68fe0e15f8c1ed9dd025d19d5
SHA1e4a3e23663ef938a87cf824e6a5fb54ffb13abf1
SHA25632fc77aa26faa104691ffd74f8cb4296f26ed03fe7e7e8ff8169da0721571336
SHA512731384674452e28a91c8a86bc458472dde34d45ca1f94908e6e7289e6247f1ba3da396fd453f14f374fc09b7b27f8b4270d29bffa0fadcbc1bcf7df0a40add90
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650075481724226.txt.cvenc
Filesize78KB
MD5acb08f6331ee5b249acd65359273e9e2
SHA161b564ff459403f352adf0f9ecd113f20a97c208
SHA256603fb959046a75ddf4913f6e1fee18f171243789aa2c2eec86bb866c26fd3333
SHA512d463b4cec085ce817783e3b26eccb5c38416514470bac6cd7ed0918b6eacbb07a139f4bca6441633386730375e83cc6749bd48908a14b1829c7d4f14754fa16c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650077594646987.txt.cvenc
Filesize48KB
MD59e393e083a96572c9c2c1dc011baa9bd
SHA10eb7317b7f232793d3d7a93445b381fc9d19d8c2
SHA25626fc27e9264f7fedf6cfa79ca84352e244d16691259349d7c4dae7621b1eec52
SHA51253365071155bedd7645a537b90c734bc9f2f8c4c3e7bc9f8bb4c3d572c57d17eb93bcbb9322c5680b43e34919a3b096cf20077005b5e574104d660392a1afe24
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650083195983942.txt.cvenc
Filesize65KB
MD51eb763516cfe6c18665ba99f11e0b99e
SHA1b24f2511b0a11c056f4b478eefd8de2149595e25
SHA2569015aaf41354177d92feead3add4daa781164cb9b942148e36e7167be3ed22bf
SHA5128c2e8f70e8cfd48bb77eac0df733d673055aeaa6a2e063878d165bef92cd9b2a2f43b01c155b250ddee73e008572ed0cea6b3b7c176b029d685e08f0ba8ee25a