Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 16:10
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240802-en
General
-
Target
setup.exe
-
Size
146KB
-
MD5
ef531da468065fc649d072824c9a76e2
-
SHA1
93c35e2e7f4915645479f6ae680683dcb3d9bc54
-
SHA256
d12c35c8825aad5b09855a89102236774ca847a7559132c4e9d92aaf69772815
-
SHA512
4c212df24e00fb7d93a5d26f27c3c0628cd7dbea67d7ee72844d1de5d6c5713860e423a01a8226da825882507f5982a06d01d8677e8bb26c66a43f131dac7894
-
SSDEEP
1536:IzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjkxB81Hd8lQG9XtPmSQVwpdNIQ:XqJogYkcSNm9V7DjQPQGfjLpjIa1tT
Malware Config
Extracted
C:\xgU6NOijB.README.txt
https://t.me/bit_decryptor
Signatures
-
Renames multiple (599) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 7417.tmp -
Deletes itself 1 IoCs
pid Process 2412 7417.tmp -
Executes dropped EXE 1 IoCs
pid Process 2412 7417.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini setup.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini setup.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2412 7417.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7417.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe 3648 setup.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp 2412 7417.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeDebugPrivilege 3648 setup.exe Token: 36 3648 setup.exe Token: SeImpersonatePrivilege 3648 setup.exe Token: SeIncBasePriorityPrivilege 3648 setup.exe Token: SeIncreaseQuotaPrivilege 3648 setup.exe Token: 33 3648 setup.exe Token: SeManageVolumePrivilege 3648 setup.exe Token: SeProfSingleProcessPrivilege 3648 setup.exe Token: SeRestorePrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSystemProfilePrivilege 3648 setup.exe Token: SeTakeOwnershipPrivilege 3648 setup.exe Token: SeShutdownPrivilege 3648 setup.exe Token: SeDebugPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeBackupPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe Token: SeSecurityPrivilege 3648 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3648 wrote to memory of 2412 3648 setup.exe 93 PID 3648 wrote to memory of 2412 3648 setup.exe 93 PID 3648 wrote to memory of 2412 3648 setup.exe 93 PID 3648 wrote to memory of 2412 3648 setup.exe 93 PID 2412 wrote to memory of 4576 2412 7417.tmp 94 PID 2412 wrote to memory of 4576 2412 7417.tmp 94 PID 2412 wrote to memory of 4576 2412 7417.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\ProgramData\7417.tmp"C:\ProgramData\7417.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7417.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e8aac33fd999efbb204456a52473b7fc
SHA155255139cd8e1cf8a63be5389083550f4cb84b00
SHA256cb729bd62f2d6686092287d1abb855ff2f463fdd65240ddf8dcbb8655e8407ea
SHA5120deeadc9efbaab2adc80b659c812c7c1258bee655dd726ae5bbe2236e380f8393d8b907e63573d9fd32c8a024d94e143434c2af5a3635def70fa111350a42b8b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD55a715fbbc2f54c29ee83cfcf7134b6a4
SHA17615ac4c2ce586bd416816ae0e5db429fd7806dc
SHA25638d7c6b0a29d18edd236b2911eb162393184c0c43fee9241b61edfcb9ad56b77
SHA512335caa5aa19b2733e07e02c738655353a8e7defa5b7626767a1947a0c097aa606c62086080b6f25292a378acda116de9dfd91d795cac27a5520cdff7645b360d
-
Filesize
659B
MD5762abaf45da9481f8cfada8043b345d0
SHA16fe3ca0aeef4d68b402302b434b1c6fac35d61ab
SHA256686cc5583b9635d5cbdf24e530decd3d9b8fc0b00ac97c2b9caa14ed4f5bcbd0
SHA5123619686907603d090c7b3a323679a7a45f15141e6169f808ac5ea8e5bf7c358277e7a91e90b653f9e639ab36529ce6238d6bfe60bf394e97c6ace0809dffa1d8
-
Filesize
129B
MD5e7602c5c8d0da93f51607fea13fdd96f
SHA1e85bd5551f7762a35219cee30197cc599097202c
SHA2560701831669a8b0634661d1eee90d3640ff9372b4ab2e09c6eff9786c4c498d7b
SHA5127806ea352740569584c72534179038324def8a0f86ae8c6cb534ddd13d02cacb8a8120877ba6b3905441a9dc8b871323770121a5f31bb35eb44a727ee8a09056