Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/09/2024, 14:01

240925-rb2vcsygnl 10

25/09/2024, 10:29

240925-mh8t2azgnl 10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 10:29

General

  • Target

    GJecwa34.cpl.exe

  • Size

    873KB

  • MD5

    5b2ac6ed9b0830ec7f1c9eb7deb38c66

  • SHA1

    0f1011748dfff6a0d0f0c0b9b8bc045da54080a6

  • SHA256

    92ac711db16da541e06c5195050f6fbd8915255c79ded58f70ba030d37135ceb

  • SHA512

    d1509fbdf410c943b2df1f05f1ece680dbd45b6090b43985707f6ebccf940cf4d384a235838d75df8f72b688c41fbfc0ef41347dee869de2d7e3dd5aa1da68f8

  • SSDEEP

    24576:QLVxajaoPDR60nXKJxrYUrG/fNfhgsqYREh3TR:Q/b3MNJgsqYRed

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] Attach this file in the email. ID :145350623DF0E8290DCC47DEA7287DE6A4FB74F4FD027899F1EF570ABB371F4BA2EE747868A2E2E8CBE7892986C0CC2C6FF8D59815AA7837AAC7B9923087C534056F836EE793FBF9131F1C0DDCD0F501CFEAE533C09FD3E6C888608A47BF282AD37A100B27579C539055E6B4CBCDFBB7B445E1CA7F908FDBD07B87E500179FF743973F111E5A36DDB237C11D39F809C83068BB6E5CF1573C75CC326A26AC1063E5F5EAD4170C44371320356CF4C476BC1BB239959D801F90BA190FFCCCA2851EB8CB67162B435ED810C8BFD35D776457CEA485BC561C6A097F3445E562B9287CD673589FF2F5CFCBB9E6D25EFB44E92E4592B6FC07968C9298959DDE75982DBEB4F0A3BD8BCD1BEBEE980956D7F0D431AF262AF9908AFD3D150E45A64BE0CACAB1D8DFE3AD280DB00AE94DC862DDA62D873E63F31DC7BD97219D959601B0F03B1B6D9871F5889F1DFC512BF7554EF460C6CB77166399B513DCCBE73B96E0947AB8F9622C7CCFF7E121DF40115616E3382E1DFD0479796D08A0E1049013DC8853BD743735CE50A7CA47163AD796F34EDB453B20CC2A8D7FD93FCC7B7624CB58312B6C0D3DD9344966AF4E46E7110BC3AB94B569534633649EF9145DC8EC73E58CAF2F8F71A423AF16F6F6FF31C7F4E1CF7D65D8187E4A44E2C7BC5848F7D6D8A237FB0FBE950A07F22B602197313B403C8C781C2C43FFC1726F0A4C3C6C3116C882790FEA66B02585DEE19F3E682F4CB8D1EA489F43E62612B247DB8D3137FF328909F23D64BC0BE7560B2F6A12961B0D462F6EB3CE22A2A914C2CA08322574E101121D20F251658E2ABCC3055A45CD5A1E773224BC6A012832714DEB43009A4A1DCDD9E89BA259ABD703ACC95EACFD1F2258BB987179022A614807ED3C6A9D6575A77AE4A044427C07D5FB412C75703E8F71A1E242F0FB101B56CBC64965E79520AF8D98D3851D96354B32E93F7D49B43308F1283F68E44F82D1DD5CC68D19DF5193EBEE18C3C8F9E4B50FAAC6C916275569BCA7AABC12954DB91DF0EF605B3E3CAAD83FF3F64AA53E7D44946D2E82577F07B2CA4DEAFCD22BF234F62A2083664099C798DADA2AD99165FEE3CDF02AD3C930C1BA429960F073587244E59A1A5D30E5C59D955A02A400FCFEADE393DE3C19BFD6546D73661540304F98EE49F5C1F2D72DFB86F9EA25217AFB18980828DAD1B51D54F0F2932696E5B1197634725F7F9D0D662FE147D4BF1F13C33269DC37B7FBBF28A9BC0DE90F3112A6EBCA6423D807407130842D3E52B692DBF14415578DFB08CB17F02BAC555107BA4D8C3ACF044CB1E22456B8CDA7429F8DCBD44E6CC3D48AAF099160915BA3ED0D07868A228EE958114B8A4E9BB794E0AEE1865289239911E916CF04EBC5D592E78EAD5473FDD2B66266585D4A4EEDD58E47EFF8543CA2A0D86ED9FA46FA599F64F3C73B5A689AA7658AAA8BD360604CD45290FE23280DC6CEE380250DEB47649FC31AC16D463BDF0ED15082F002AB7CD08BF2DBEE40B8100A9DF4F7E51A4D57014A13B38FB48D8EF9F324898DC36A073FD5A2CD6BA63598149FDA986464ECA313EA05D2A5CF818F956DFD678982AEBF0FED86CE09369CB80E149242D493F13CC514679B5CBC1F978A0C91785BB5878DE6978BDE2A16CCD19EBE672AFC26ED4F762C7ED99D8E1660345D0211D704B1FE21413670B49616442FCE6A3AFF876B77EDC7BE4B1A31B06F31AC8A7F0440F469D16896F76E95B4DD0AA98CB5DD2E4E91D857FF33683C8C02E2F6A10188CA5840984F4D023C31860439C3945FFE3EE4E54F38B0D2F07E3A117959F92AF8E8B62B50BB6D7B5450E2A5B6C29A0A5DD21EF2BBB3E43825C7E4CD00B1096AA5F16B7B6EBD3370F14406C69446FA09BEA32AE89B6941EB8ECC8C2BE53098CAE65DF8ADDECA89B730AF1E4E572BBACFDF9C0257A628C28BBAB6CA05F07C500D0AEBAC32E0FC454BA92622C567268D15C968B143654F21DCFBE7485980B822B6727F15AD3ADFDF190AA08590F04C214895E2F9313B70677E5DCEC7F1E14C98A0F1EEBF7BF81C9AE6BBF127384399F177EF08E4F1C64E479801273004B4C610E289C87BCC30E4444F9B81F0327580580A17B796A8034EF415B85C24C9DA6B44CDCB8AF4C36FE22A22DAF337777126BF89352C3DEF3775EC2B9621D70E3FAD62DABF23CF679B57F4854716C663D44B0CD6F1BE4866A5946CC57997454E49086FF8C61D3DD9FB6FE92E68AFC45B866D020D3F9F36969F235E54DD4077426262E8812389ED6C14D19F3EB7767136793946A76650C0B9CFA2B939FDCBA35AD30BCAD6C346768DB3399BCD4F30C373A1EF8E77DA506C12D4E8303CB49EE42AA460078C4216A0F6

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3168
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\WYgCGu\WYgC\..\..\Windows\WYgC\WYgC\..\..\system32\WYgC\WYgC\..\..\wbem\WYgC\WYgCG\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5140
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\NmbLeQ\NmbL\..\..\Windows\NmbL\NmbL\..\..\system32\NmbL\NmbL\..\..\wbem\NmbL\NmbLe\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6440
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:6560
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:6716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

      Filesize

      4KB

      MD5

      dc5b3c6b7cc3a2665301659223b54f9c

      SHA1

      3e94cc263b721fc82a54d1dc99a266b50694ca8c

      SHA256

      ae5f6123c2282e79eb2e73396459b9037c79b1d415b298aa743d18c69ce7dadf

      SHA512

      acfdcc2786f15669a2e9ec25e5585bcab24ca82bf0287ab3d2f27a0d7e4418fa8b07568db45640b67554c6dcb0f6d448669d2abf395294b6101448a4307d6513