Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    99s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 16:10

General

  • Target

    setup.exe

  • Size

    146KB

  • MD5

    ef531da468065fc649d072824c9a76e2

  • SHA1

    93c35e2e7f4915645479f6ae680683dcb3d9bc54

  • SHA256

    d12c35c8825aad5b09855a89102236774ca847a7559132c4e9d92aaf69772815

  • SHA512

    4c212df24e00fb7d93a5d26f27c3c0628cd7dbea67d7ee72844d1de5d6c5713860e423a01a8226da825882507f5982a06d01d8677e8bb26c66a43f131dac7894

  • SSDEEP

    1536:IzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjkxB81Hd8lQG9XtPmSQVwpdNIQ:XqJogYkcSNm9V7DjQPQGfjLpjIa1tT

Malware Config

Extracted

Path

C:\xgU6NOijB.README.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to use a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/bit_decryptor Warning. * Do not rename encrypted files. * Do not attempt to decrypt data using third party software as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: 8F1D8AE5590CFFAADFD183C34CCDCB2D
URLs

https://t.me/bit_decryptor

Signatures

  • Renames multiple (599) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\ProgramData\7417.tmp
      "C:\ProgramData\7417.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7417.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\MMMMMMMMMMM

    Filesize

    129B

    MD5

    e8aac33fd999efbb204456a52473b7fc

    SHA1

    55255139cd8e1cf8a63be5389083550f4cb84b00

    SHA256

    cb729bd62f2d6686092287d1abb855ff2f463fdd65240ddf8dcbb8655e8407ea

    SHA512

    0deeadc9efbaab2adc80b659c812c7c1258bee655dd726ae5bbe2236e380f8393d8b907e63573d9fd32c8a024d94e143434c2af5a3635def70fa111350a42b8b

  • C:\ProgramData\7417.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDD

    Filesize

    146KB

    MD5

    5a715fbbc2f54c29ee83cfcf7134b6a4

    SHA1

    7615ac4c2ce586bd416816ae0e5db429fd7806dc

    SHA256

    38d7c6b0a29d18edd236b2911eb162393184c0c43fee9241b61edfcb9ad56b77

    SHA512

    335caa5aa19b2733e07e02c738655353a8e7defa5b7626767a1947a0c097aa606c62086080b6f25292a378acda116de9dfd91d795cac27a5520cdff7645b360d

  • C:\xgU6NOijB.README.txt

    Filesize

    659B

    MD5

    762abaf45da9481f8cfada8043b345d0

    SHA1

    6fe3ca0aeef4d68b402302b434b1c6fac35d61ab

    SHA256

    686cc5583b9635d5cbdf24e530decd3d9b8fc0b00ac97c2b9caa14ed4f5bcbd0

    SHA512

    3619686907603d090c7b3a323679a7a45f15141e6169f808ac5ea8e5bf7c358277e7a91e90b653f9e639ab36529ce6238d6bfe60bf394e97c6ace0809dffa1d8

  • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    e7602c5c8d0da93f51607fea13fdd96f

    SHA1

    e85bd5551f7762a35219cee30197cc599097202c

    SHA256

    0701831669a8b0634661d1eee90d3640ff9372b4ab2e09c6eff9786c4c498d7b

    SHA512

    7806ea352740569584c72534179038324def8a0f86ae8c6cb534ddd13d02cacb8a8120877ba6b3905441a9dc8b871323770121a5f31bb35eb44a727ee8a09056

  • memory/2412-2785-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/2412-2781-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/2412-2784-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/2412-2783-0x00000000026B0000-0x00000000026C0000-memory.dmp

    Filesize

    64KB

  • memory/2412-2782-0x00000000026B0000-0x00000000026C0000-memory.dmp

    Filesize

    64KB

  • memory/2412-2815-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

  • memory/2412-2814-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

  • memory/3648-2-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

  • memory/3648-0-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

  • memory/3648-1-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB