Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 00:32

General

  • Target

    Abrechnung53534.exe

  • Size

    728KB

  • MD5

    c55825824295fb010050e0a8929088dd

  • SHA1

    e3047fa2e4128af1ca2cd5a854a9772421ab185e

  • SHA256

    0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86

  • SHA512

    7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8

  • SSDEEP

    12288:cLgIvdjsT2N167Tn/VHbiaPzvLOyx1v2ef0j/uakSB0aA+PmLgaYM:eDvCD7/V+aPzSe1vto/T0aA+a5

Malware Config

Extracted

Path

C:\ProgramData\esufwfj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1572
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Sets desktop wallpaper using registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
        "C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
          C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2876
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {9C7FDADA-35B3-4460-B37D-C131F18B845D} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
        C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
          C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows all
            4⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:268
          • C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
            "C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe" -u
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
              C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:1636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\mbyrakb

      Filesize

      654B

      MD5

      b7e74f18fbe4c22203ef920c56b62aad

      SHA1

      a03874923f4a7b582f1d21e1ec35c6d50de9c2c1

      SHA256

      6ede22127e58f6d197922f72748f735c6b417e85276bd646aea9df93409210f1

      SHA512

      e1066789e81511c39af54f5b622d4994e1a81db54c6c7cada204066fd0be57658825ddc9035f3ce769e385c9fef11b7de9f06b03556e90aa0a0c3267b91b8740

    • C:\ProgramData\Microsoft\mbyrakb

      Filesize

      654B

      MD5

      1b1d1d923ada93f3d904e9a069595790

      SHA1

      c79888baadf1be6e0e4ae3780663202d50b7fe11

      SHA256

      55b10cb01d05c1205d0c97fb6727ea4c13c885992eb240d6ea46224c03d8016f

      SHA512

      46827d44a3bde51019e515578cac8b8dc3020630e27cd1a7f00f1e142a084414df1d829e6175ed60bff51431a224aa30e13d3ebbad7fcd5c814d17c1d8a09aa1

    • C:\ProgramData\Microsoft\mbyrakb

      Filesize

      654B

      MD5

      249791500e858782691b207eeb1bb49a

      SHA1

      e36fbb4699baf5174cf7ce4e95bb8e6c9e61b5fc

      SHA256

      915b66ed9e342a219ea0fabf1c78bb1cb7de35d9990e5ab55d017c9761637074

      SHA512

      aef5cbe63b590b8d9574decad3d63854743417a2f8e4a5899b21492a034e730ddae35eed0691c657f2cf358daf3f623b30c905053a4b0749fc32fc91c5f09b05

    • C:\ProgramData\esufwfj.html

      Filesize

      63KB

      MD5

      e31833b1effcc9575c4c3d36a6f46a13

      SHA1

      867e713701274969f8b5339e1fedc3ab508918a5

      SHA256

      f00129bd1fa87ae21a1bcad8d773179150169b2b823e093c5ccabcdc7cc1ab0b

      SHA512

      06bb374655a93df207ea68e11ced8903902efecb324635de2df47fb8fde2a22eaf3e38c3c19a9d5b0c26f3ed547328c84c0f2ae38c6ebee9b1e4d356b7d48a83

    • C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe

      Filesize

      728KB

      MD5

      c55825824295fb010050e0a8929088dd

      SHA1

      e3047fa2e4128af1ca2cd5a854a9772421ab185e

      SHA256

      0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86

      SHA512

      7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8

    • C:\Users\Admin\Desktop\ImportCompare.XLS.hfmkeza

      Filesize

      853KB

      MD5

      73aff8c1c8ddb96a655ed4b9335679c6

      SHA1

      acfb006e56d1fad3989278e5a169bdf8c2c4c917

      SHA256

      9ad69e81bc46f104f12d8fdf2a0b65969b5c1364cf7a4b54d8b0b61da8cc1ab4

      SHA512

      b1d77167c05b0b9582a8ebc35f4bbb967c75cb825688772c2684bb7340b5ff18567ad7d77cf668acb1bbbe726f448940f45fa99f662ce84bf6174723fbfd364e

    • memory/600-41-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-40-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-51-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-43-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-281-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-44-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-1253-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-47-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/600-49-0x00000000005B0000-0x0000000000627000-memory.dmp

      Filesize

      476KB

    • memory/2396-0-0x00000000002F0000-0x00000000002F5000-memory.dmp

      Filesize

      20KB

    • memory/2420-20-0x0000000000400000-0x00000000004B6000-memory.dmp

      Filesize

      728KB

    • memory/2640-35-0x0000000000400000-0x00000000004A4400-memory.dmp

      Filesize

      657KB

    • memory/2640-37-0x00000000047C0000-0x0000000004A0B000-memory.dmp

      Filesize

      2.3MB

    • memory/2640-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2640-1265-0x00000000047C0000-0x0000000004A0B000-memory.dmp

      Filesize

      2.3MB

    • memory/2876-5-0x0000000000400000-0x0000000004429000-memory.dmp

      Filesize

      64.2MB

    • memory/2876-7-0x0000000000400000-0x0000000004429000-memory.dmp

      Filesize

      64.2MB

    • memory/2876-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2876-14-0x0000000004600000-0x000000000481A000-memory.dmp

      Filesize

      2.1MB

    • memory/2876-17-0x0000000000401000-0x00000000004A5000-memory.dmp

      Filesize

      656KB

    • memory/2876-15-0x0000000004820000-0x0000000004A6B000-memory.dmp

      Filesize

      2.3MB

    • memory/2876-13-0x0000000000400000-0x0000000004429000-memory.dmp

      Filesize

      64.2MB

    • memory/2876-11-0x0000000000400000-0x0000000004429000-memory.dmp

      Filesize

      64.2MB

    • memory/2876-3-0x0000000000400000-0x0000000004429000-memory.dmp

      Filesize

      64.2MB

    • memory/2876-1-0x0000000000300000-0x0000000000400000-memory.dmp

      Filesize

      1024KB