Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    64s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 13:39 UTC

General

  • Target

    scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe

  • Size

    159KB

  • MD5

    80f4a1d42e2d4205cedf96909091cf84

  • SHA1

    b9500d8a20ea3831f0843ca8636be11fef836625

  • SHA256

    9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163

  • SHA512

    42168abc5f69ea35756fa71e1fd49c47b20b4111fc13e4593ae55f576e7f3d9d6583213547cbb01c245e7616b542ee160caa96022ca561eaf290db8818035fd3

  • SSDEEP

    3072:/V2UzNeZWtTsi2OHAXDCtY6cgtz45qS7IfJJoSl:NHReZETV2UAXDzb2icl

Malware Config

Extracted

Path

C:\Program Files\7-Zip\!!readme!!!.txt

Family

underground

Ransom Note
The Underground team welcomes you! We would like to inform that your network has been tested by us for vulnerabilities. Poor network security could cause your data to be lost forever, including backups. Your files are currently encrypted, but don't worry, they can be restored to their original state with a decryptor key that only we have. The key is in a single copy on our server. Attempting to recover data by your own efforts may result in data loss. It is important not to change their current state. Each file additionally has a unique cipher, which you can restore only with our help. DO NOT reboot or turn off storage media. If you do not contact us within 3 days, or we cannot reach an agreement, information about data leaks is bound to get into the media. Your company's reputation will be damaged. Sources of downloaded information: -company financial documents, password protected financial documents (passwords selected) -personal data on employees (passports, SSN's, ID's, W9-forms, payrolls, medical information, contracts of employment, drivers licenses) -personal information on directors -shareholder documents -insurance documents -documents and drawings marked confidential -NDA's and Confidentiality Undertaking -project documentation (project specifications, confidential drawings, contracts, customer correspondence, financial documents) -information and correspondence on classified projects (Project X, project Omaha, military projects) Total size of downloaded data about 500 GB. A data breach is a violation of the law and has serious legal and business ramifications. Personal data leakage is subject to: the EU's General Data Protection Regulation (GDPR), South Africa's Protection of Personal Information Act (POPIA), State Data Breach Notification Laws and State Privacy Legislation in the USA (including California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act), other laws and regulations pertaining to the protection of confidential data. We value and respect every business, including yours. Therefore, we suggest you avoid further negative consequences and return to your work as soon as possible. We guarantee a fair and confidential deal in the shortest possible time. You will not only receive a decryptor, but also a description of your network vulnerabilitiЫes and information security recommendations. If necessary, you will be provided with qualified data recovery assistance. You can trust us! Reputation is important to everyone. As a proof of our statements, we are ready to restore some files for free and demonstrate how our product works. We can also provide you with a list of the files we have. Best regards, Underground team ! Contacts for communication via chat: login to your account (Tor Browser) http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd.onion/ your login: cochranesteel your password: 36CC711944AFE198B7E65159DC8612CE ID 11e45324k66n1lem2a234nz3kfbna1e4 cf983dad2db4f3b000586ca371cfcd4e
URLs

http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd.onion/

Signatures

  • Underground Team

    Underground Team is a ransomware first seen in July 2023 that is primarily distriuted via exploting vulnerabilities.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 30 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe
    "C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2204
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
      2⤵
      • Modifies registry key
      PID:2256
    • C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop MSSQLSERVER /f /m
        3⤵
          PID:764
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:1636
      • C:\Windows\System32\reg.exe
        "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
        2⤵
        • Modifies registry key
        PID:4076
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop MSSQLSERVER /f /m
          3⤵
            PID:1396
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!readme!!!.txt
        1⤵
          PID:4832

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          154.239.44.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          154.239.44.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          86.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          86.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        No results found
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
          90 B
          1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          154.239.44.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          154.239.44.20.in-addr.arpa

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          86.23.85.13.in-addr.arpa
          dns
          70 B
          144 B
          1
          1

          DNS Request

          86.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\!!readme!!!.txt

          Filesize

          2KB

          MD5

          e3adffe7c5c5a0512861866a9fac99d0

          SHA1

          4e1bd7b5ac85d977354ef69aefa30b333e767a17

          SHA256

          64baeebbf072ee1995a696b055beb290ec8adcf85a5104b3fe9c87d1ae5e2bd0

          SHA512

          5653fb12d3d90d633be01720059339fa447c0e186d279db83e39025fd8b6bf0da8529a638c27151c0b3ca2ef3cd4f9c9efa85416fe35ec0c678facb2e4e0d5e6

        • C:\Users\Admin\Desktop\desktop.ini

          Filesize

          428B

          MD5

          2131f4290ef7cbf1a98893ed6b405662

          SHA1

          ee8fe2b9cf8c1df5d9379bc85720773cc860eec1

          SHA256

          1c0a0a78b4e97e4751095a014120b1252ebfbb74c3afc6f9b8003965e2234827

          SHA512

          f93cf58be0862f6b8201db2834d4110cb7359122566e442e665811fd2d9a8524973dcc6fb94b18534a13e86d0c9e1c76b417f39f93bbb2de6358c642bfd30e51

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.