Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/09/2024, 12:16
General
-
Target
server.scr.exe
-
Size
150KB
-
MD5
7e503c206e57f0295da017914a957d04
-
SHA1
96c375b9c57292db73c7ef2f2df16cf7be1604bb
-
SHA256
274844568a6a9ce334d71efeac21f528d7b54b2cd4377c978cc1270c6ad986c4
-
SHA512
cd4889ae107c54df854042e030eb431664d4db9d6dc908d1f1910ca49b89d247222f9d19440fcc2d9a120c95b56cd694750072ab9486eea961b8c33391344c1c
-
SSDEEP
3072:6qJogYkcSNm9V7DPaGkxDSzGmblnDPET:6q2kc4m9tDyNDSrdj
Malware Config
Extracted
C:\wlJ8FiR2h.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (306) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.scr.exe"C:\Users\Admin\AppData\Local\Temp\server.scr.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\CF12.tmp"C:\ProgramData\CF12.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CF12.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c91ada25e60831fa13ba87ced52a83be
SHA12ba53ae50127e52693bf19145e031003872470ea
SHA25664266709899dd750d4c674f44363bb89e67f6c96bcbf1e14b21cbae376475ee3
SHA512c22f4da55b6b7f56376b961e77b1945eba472d444767149bfde1e0f3af3388f0380310a421110f1fd8cbefc9f54683b00b623c059205a4a5c0221fdf77568a02
-
Filesize
150KB
MD53dbf71d5ee3657133f913b171b3380a4
SHA1c09a24fca5e9304b7974bc5b90eb93df825d35a7
SHA2567c761779a52a75528f277df2b09dc9a2ab3cc20642325edba6f20f1343d50fd2
SHA512a2bf84d82d0bd8735751fba404a97ce216247a0c93b1bcb3e71bd58538ce50ddca3d7f34cb8721e32805c73f5146c62b474d0ad129d55db21637553acb7cd9ad
-
Filesize
3KB
MD5b9674de0868a93e9121bdb1d02d80130
SHA179d692fd03d3110a4358e2cc7442af9517489f3f
SHA2569268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c
SHA512b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02
-
Filesize
129B
MD5644a4fbde498d52dabe5b0fc87817987
SHA14672f75e476f0f4fd2f682dcde200353180724f1
SHA256bf65191247c98fcccd73b8c8043f02dace24d872a3ddb073130deba01012a498
SHA512c79b1f0148b83cad38e0920d5bf7352bdcf02405c19bcee5b6891f1b9745c534caa1ff433abc722549797c1ae6caf9c06aa43841894fe449a0d310fe1c2e0d6c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB