Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1799s
  • max time network
    1565s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2024, 19:21

General

  • Target

    21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

  • Size

    235KB

  • MD5

    fac89802b3db89ba74cf8891824af3d6

  • SHA1

    27b57dfdc8b1b265e3755cc0068be846c4c4981e

  • SHA256

    21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061

  • SHA512

    2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5

  • SSDEEP

    3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: j3Tjd3fs1LodjY9VuaKGfXXlKimB5hng1Su5RjgqSss94riM/pzdzewpzY+6tUbDsmby4j+CQhdNcrI1F6eV8gpfbYGHN/qbffoY/8BFqhqo658cH43rpTXTixRrMc6eFz4+UzAQLyLktcDLEe6F+SMBkKYkyJmS+NJxIG8JV6Q=

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (301) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 27 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
    "C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
      2⤵
        PID:2364
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:2636
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2348
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            3⤵
            • Interacts with shadow copies
            PID:2616
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
          2⤵
            PID:2148
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            2⤵
              PID:2888
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin.exe delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:2672
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
              2⤵
                PID:2924
                • C:\Windows\SysWOW64\vssadmin.exe
                  vssadmin.exe Delete Shadows /All /Quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:1728
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
                2⤵
                  PID:2016
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                  2⤵
                    PID:2348
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
                    2⤵
                      PID:1924
                      • C:\Windows\SysWOW64\vssadmin.exe
                        vssadmin.exe delete shadows /all /quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:2092
                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf
                      2⤵
                        PID:1568
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2772

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck

                      Filesize

                      16B

                      MD5

                      6341a17163bfe281a2e9fa7a985e0f5f

                      SHA1

                      6ddd27908cfcb3b9bf1bc2106c14f819d744bf8b

                      SHA256

                      5069304e78aa759159cc407be3e3bef87c1b919182b701144cbab00d2869c493

                      SHA512

                      5be574959b7d8ee28caf289b6859d8fd76af5dc65bfe2fe178946c42158444259ffc1e340c18c576faf64812ef2c6761fab7d38acb6a92326d715d3188782508

                    • C:\ProgramData\Microsoft\MF\Pending.GRL

                      Filesize

                      14KB

                      MD5

                      0aab37846d84c41ac8884aeb3fe3055c

                      SHA1

                      a0088d090ffa67d5a753cbd3b3018a7cf3e48c0b

                      SHA256

                      e5ef960db0d6498969ee7198db1828055a0c62014036d72d1834d54446381f55

                      SHA512

                      a436598c033d7f2658225c7aaca615c481648ecb8441b61a4019899e4aeff35174bd7eca42a4f5d14c3f5213ba025f7fc840a044f9faaa55e8ad78f79df3451b

                    • C:\ProgramData\Microsoft\User Account Pictures\user.bmp

                      Filesize

                      48KB

                      MD5

                      472218eeac3a3494ff9e932b2b527382

                      SHA1

                      bcf61341236e86327237dd49bfd4040c143e81dc

                      SHA256

                      0601c8688fa40e02c14c07d2d59ab91208f5422d9e9bb921f3cfc6ecdbc0fefa

                      SHA512

                      8713bc4ea809a379d55e71eb02b7fcd27cbc86671c1c09021a8a66e827f12375d39f4f21b5ff776e9bf56eb45abb773cda32480c99d0bbc76afc67bb91b036af

                    • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

                      Filesize

                      140KB

                      MD5

                      5ca99cd66116b2bfac6477df9877fa24

                      SHA1

                      c154ff279518c29076df222b02e5a0f47f082da3

                      SHA256

                      47009664fef725d9c0ddb12cddc41b1732d88a4613c0f1d0e5120c4e813df7f8

                      SHA512

                      0cd624ef243b88d834995cd738946881c641ce6d90a0a284a552939afa42bfe9245062b3278d1b60a0a9102e264d96d1f5734f6ade2e7fa03cade8a21d53993b

                    • C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

                      Filesize

                      1KB

                      MD5

                      467bb9265d25f08a90ac10b7695d4756

                      SHA1

                      3cdac5e4c31364a98a06e5836d7d1671bb08435d

                      SHA256

                      0d76a909d93875ebc4480a2af20faf21002d24eeb0f6dada2cd4b0406aa1d2aa

                      SHA512

                      592a75c99e8e2962366536222840099fbc1817784aea194c1cc41ae3019b0553cec06ab37641b6d9187232183b8e44a70372431dea1fd9967c88fa57032113e6

                    • C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_1697866534\1008fba4-e12e-4fb6-b030-9ef025751633.tmp

                      Filesize

                      88KB

                      MD5

                      d21d256110dd3ea30116298709c8e7fa

                      SHA1

                      e10d1fabce19cb8cab3a3f1674936e8ecda0bcb9

                      SHA256

                      c0753f2dbe04d552630f95f1601a1c1bff886552c9f42bbcd898a13221f4d78d

                      SHA512

                      a1fe3f7ad7a17eeb838415de34b084783f967eec0c6d291c5f55725f7bb119f311825918a5d10937bfaf06f165359a992cecc28ff0e9d4c7e92140c6fb501da8

                    • C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_762273943\de2794d7-234b-41a8-bb47-48c478696e49.tmp

                      Filesize

                      242KB

                      MD5

                      bf17a69f87c9069958e3c889859b2ca2

                      SHA1

                      0a0cee4280b10f1573f65d3ac3d48499ec06db11

                      SHA256

                      f01a9b6a5fad150e82f4fc7156f5be16071d735faff6685b826cb0396e89876f

                      SHA512

                      bfbac078236a819877f4f515f1c323eb769d1f1dabcfeb55dc737ed0f30344ee0627d0e490dfa13f4ad44ed9b0d7504668693799691e87bc44a47d5998ca9496

                    • C:\Users\Admin\Desktop\InvokeCheckpoint.xlsx

                      Filesize

                      12KB

                      MD5

                      f898b5617fbf6a242acf01b9c423b73a

                      SHA1

                      a45c0704575ae2e99b31fd40bc8a7afe923f3334

                      SHA256

                      238a73ec4517c68c402f4e8ecc66d8cd7d4790eae9a6a5dd9e0c6e839e53feee

                      SHA512

                      56d81ad4aa1fe91744e778c231899ecc877b43070f2d2da8a302b9ef703d50782575c8dc3ec0b3d8e00a8225385a4bd4a3e96d280b92e761a3bcb6d967c64253

                    • C:\vcredist2010_x64.log.html

                      Filesize

                      85KB

                      MD5

                      6122fc930c7792bd8008597511390a07

                      SHA1

                      41a70b0e75d5c56346cb28153ace8687229b7dff

                      SHA256

                      77e6edd65a2ed08064f7bfd90b791662d236d18bd89c56e0d5d9644fb21f0603

                      SHA512

                      479e00228cd6a72aca47857331039584f5f36f39c7cb47120dc9941d53cd6566bffc3fc8091e94e71be6537fab540049b1631bfbcda9ae0ebd9eab1c613c8b7d