Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3c13ae9a53...ac.exe

windows7-x64

10

3c13ae9a53...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2024, 01:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe

  • Size

    147KB

  • MD5

    11c051782c327c662507801124f0b95b

  • SHA1

    5dd92a1ab1cfc5b73b5dcdb3edd6ea6d498339df

  • SHA256

    3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac

  • SHA512

    239f6eba567c59cf956e4f6c8ffe6588bb2b16ede03e939f79db69ae23631881285475f634780a40f94038035fb1329743c9b57c92a9690ec927f6d372d9ca2e

  • SSDEEP

    1536:GzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDuc1UR7zBEDZhT+IhMjo9Uyz:9qJogYkcSNm9V7DJ1URfqVXmjo9T

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\d093fD6aI.README.txt

Ransom Note
~~~ LockBit 5.01 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.01 = up to 12hr BTC amount 0.02 = up to 24hr BTC amount 0.1 = up 48 hr BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d :not valid after 07/23/2024 10PM EST. Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. You have 12 hours for the transfer, 24 hours for the amount of 0.02, and of course, you can always wait 48 hours and pay 0.1. After that, send a request with confirmation to TOX , faster way! You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: B90F5C1EC3C13400F6D0B22B772C5FAB086F8C41A0C87B92A8B3C7F2ECBBCE191A455140273E
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

  • Renames multiple (325) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe
    "C:\Users\Admin\AppData\Local\Temp\3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\ProgramData\7E.tmp
      "C:\ProgramData\7E.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7E.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:860
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini
      Filesize

      129B

      MD5

      aa5602b6addf2cfc4b85dd8be47d9650

      SHA1

      1cf7ba258be69527fa0b7a8db1727151d7ae6b09

      SHA256

      2a20bc24a8dfe3e6d989a8ab0b23840eb79c5fa1413cb65d8caf7b99a0e10e65

      SHA512

      b6e3e2b1c762c6016fbe43b51996002406c2888de452dfdca6ae6847dac20636437e2e4d4b2abc7b3e7b723a1d413d865ae337febd7fbb3f5097c11ebc63048a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      b09268a454cc950caf5a08ae492f5d09

      SHA1

      0aeb1acc7275ae2f816c5959fdc254200b48e805

      SHA256

      f3f684efe46e9cbb4b9aed5498c44e26c356e42433954d293372f5f5712875c0

      SHA512

      1a21b66ee2ad7596ce25be9ac48764bd287281ae3e49ca4924e655c000921b60fb22caefd02d6131113555af5b16c23d2ece57f3b1b9d51fb0fe7faad92a244e

      Download Submit

    • C:\d093fD6aI.README.txt
      Filesize

      1KB

      MD5

      c98594c43506b3f4802ebd608ba6be0f

      SHA1

      d8e090434533229fbdcc104b6a43903bfdf8c081

      SHA256

      804575f74fe5b2f28c181f3413b23a0355693ffd9a2c1e69546bb598ce67ebae

      SHA512

      5e3767a0606dae51c49a41ddfde2dd90a17eb53c79212d46c556141bcc6c54bd1c06348a7077251ff75228a5e3604880cabb1309a68490736203e3c49f5c6cba

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      2f0942f51ada0b5aaf96b08c185cf5f6

      SHA1

      5f500925bb9a69b3cb1d3ff9e106b3f5e0b9a86c

      SHA256

      5cc52477595e7994ca982d33a5c7909229e409d41b72213476da65e076ab3f50

      SHA512

      c39d827711c15a9d88232558b5eaf3e24f862272a45fd30f60436142f4fc4b08917e2768cb8e30a7902343dbe13e9258f60f5952561d20d005a1bfca95bcc4af

      Download Submit

    • \ProgramData\7E.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1912-860-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1912-859-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2116-0-0x00000000021A0000-0x00000000021E0000-memory.dmp

      Filesize

      256KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.