Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/07/2024, 19:21

240709-x2s8ss1blj 10

09/07/2024, 19:14

240709-xxngrazhkp 10

03/07/2024, 09:01

240703-ky8g4awaja 10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 19:14

General

  • Target

    ransom.exe

  • Size

    7.8MB

  • MD5

    648bd793d9e54fc2741e0ba10980c7de

  • SHA1

    f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90

  • SHA256

    102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

  • SHA512

    d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15

  • SSDEEP

    98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

Ransom Note
Greetings. All your files have been encrypted by CyberVolk ransomware. Please never try to recover your files without decryption key which I give you after pay. They could be disappeared� You should follow my words. Pay $1000 BTC to below address. My telegram : @hacker7 Our Team : https://t.me/cubervolk We always welcome you and your payment.
URLs

https://t.me/cubervolk

Signatures

  • Renames multiple (1667) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransom.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of FindShellTrayWindow
    PID:3708
  • C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM ransom.exe
    1⤵
    • Kills process with taskkill
    • Suspicious use of AdjustPrivilegeToken
    PID:4220
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

      Filesize

      348B

      MD5

      ce7ff0a9361571a2dcb08f50500ace3f

      SHA1

      5d8bed459f55a37e2fcb801d04de337a01c5d623

      SHA256

      894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee

      SHA512

      bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.cvenc

      Filesize

      37KB

      MD5

      1486522a6b1fa8690c9fdf57af2c3c52

      SHA1

      37c4aebe485d8f99252b5ca471f47dfef978c087

      SHA256

      1ba41e9ef08b8f27aece113faa167283f8445043a745c6352b18ea899d1fc087

      SHA512

      9b112e2b7d9954a4e4c0e3e4fbddf31028d739f7dc59511bbfc747be463c55c6f6679976edf41066a446339bef596911411eee40f55de79187847c2877e2c1e9

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.cvenc

      Filesize

      37KB

      MD5

      13e3e05b9a7e010d5a722fbadffbbf42

      SHA1

      8023caecda04f62529d3a8625b9ad090d66b657a

      SHA256

      c4b054ebf2132016e3f8209ce0615b1525bfed7368ef7c879abc1984c25722c1

      SHA512

      8b0b2425db041698c162ff70489885032f305ec2e29bd5e0008394446c8c9c2702fc5fb76b4772e59dc9d6e153be7cbbe7a96b21a83a1128bff6d621957ed584

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.cvenc

      Filesize

      37KB

      MD5

      d8d548e68fe0e15f8c1ed9dd025d19d5

      SHA1

      e4a3e23663ef938a87cf824e6a5fb54ffb13abf1

      SHA256

      32fc77aa26faa104691ffd74f8cb4296f26ed03fe7e7e8ff8169da0721571336

      SHA512

      731384674452e28a91c8a86bc458472dde34d45ca1f94908e6e7289e6247f1ba3da396fd453f14f374fc09b7b27f8b4270d29bffa0fadcbc1bcf7df0a40add90

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650075481724226.txt.cvenc

      Filesize

      78KB

      MD5

      acb08f6331ee5b249acd65359273e9e2

      SHA1

      61b564ff459403f352adf0f9ecd113f20a97c208

      SHA256

      603fb959046a75ddf4913f6e1fee18f171243789aa2c2eec86bb866c26fd3333

      SHA512

      d463b4cec085ce817783e3b26eccb5c38416514470bac6cd7ed0918b6eacbb07a139f4bca6441633386730375e83cc6749bd48908a14b1829c7d4f14754fa16c

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650077594646987.txt.cvenc

      Filesize

      48KB

      MD5

      9e393e083a96572c9c2c1dc011baa9bd

      SHA1

      0eb7317b7f232793d3d7a93445b381fc9d19d8c2

      SHA256

      26fc27e9264f7fedf6cfa79ca84352e244d16691259349d7c4dae7621b1eec52

      SHA512

      53365071155bedd7645a537b90c734bc9f2f8c4c3e7bc9f8bb4c3d572c57d17eb93bcbb9322c5680b43e34919a3b096cf20077005b5e574104d660392a1afe24

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650083195983942.txt.cvenc

      Filesize

      65KB

      MD5

      1eb763516cfe6c18665ba99f11e0b99e

      SHA1

      b24f2511b0a11c056f4b478eefd8de2149595e25

      SHA256

      9015aaf41354177d92feead3add4daa781164cb9b942148e36e7167be3ed22bf

      SHA512

      8c2e8f70e8cfd48bb77eac0df733d673055aeaa6a2e063878d165bef92cd9b2a2f43b01c155b250ddee73e008572ed0cea6b3b7c176b029d685e08f0ba8ee25a