Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
Abrechnung53534.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Abrechnung53534.exe
Resource
win10v2004-20241007-en
General
-
Target
Abrechnung53534.exe
-
Size
728KB
-
MD5
c55825824295fb010050e0a8929088dd
-
SHA1
e3047fa2e4128af1ca2cd5a854a9772421ab185e
-
SHA256
0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86
-
SHA512
7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8
-
SSDEEP
12288:cLgIvdjsT2N167Tn/VHbiaPzvLOyx1v2ef0j/uakSB0aA+PmLgaYM:eDvCD7/V+aPzSe1vto/T0aA+a5
Malware Config
Extracted
C:\ProgramData\esufwfj.html
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation xjlvlhd.exe -
Executes dropped EXE 4 IoCs
pid Process 2420 xjlvlhd.exe 2640 xjlvlhd.exe 2492 xjlvlhd.exe 1636 xjlvlhd.exe -
Loads dropped DLL 1 IoCs
pid Process 2420 xjlvlhd.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat xjlvlhd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-hfmkeza.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2396 set thread context of 2876 2396 Abrechnung53534.exe 30 PID 2420 set thread context of 2640 2420 xjlvlhd.exe 33 PID 2492 set thread context of 1636 2492 xjlvlhd.exe 39 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hfmkeza.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hfmkeza.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjlvlhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjlvlhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjlvlhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abrechnung53534.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjlvlhd.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 268 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main xjlvlhd.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch xjlvlhd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" xjlvlhd.exe -
Modifies data under HKEY_USERS 23 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04c3f2a4-3a83-11ef-b02c-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04c3f2a4-3a83-11ef-b02c-806e6f6e6963}\MaxCapacity = "14116" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04c3f2a4-3a83-11ef-b02c-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a90e0081-3a4b-11ef-b4fb-ea829b7a1c2a}\MaxCapacity = "2047" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a90e0081-3a4b-11ef-b4fb-ea829b7a1c2a}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00300034006300330066003200610034002d0033006100380033002d0031003100650066002d0062003000320063002d003800300036006500360066003600650036003900360033007d00000030002c007b00610039003000650030003000380031002d0033006100340062002d0031003100650066002d0062003400660062002d006500610038003200390062003700610031006300320061007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a90e0081-3a4b-11ef-b4fb-ea829b7a1c2a} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2396 Abrechnung53534.exe 2876 Abrechnung53534.exe 2420 xjlvlhd.exe 2640 xjlvlhd.exe 2640 xjlvlhd.exe 2640 xjlvlhd.exe 2640 xjlvlhd.exe 2492 xjlvlhd.exe 1636 xjlvlhd.exe 1636 xjlvlhd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2640 xjlvlhd.exe Token: SeDebugPrivilege 2640 xjlvlhd.exe Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1636 xjlvlhd.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1636 xjlvlhd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2396 Abrechnung53534.exe 2420 xjlvlhd.exe 2492 xjlvlhd.exe 1636 xjlvlhd.exe 1636 xjlvlhd.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2396 wrote to memory of 2876 2396 Abrechnung53534.exe 30 PID 2264 wrote to memory of 2420 2264 taskeng.exe 32 PID 2264 wrote to memory of 2420 2264 taskeng.exe 32 PID 2264 wrote to memory of 2420 2264 taskeng.exe 32 PID 2264 wrote to memory of 2420 2264 taskeng.exe 32 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2420 wrote to memory of 2640 2420 xjlvlhd.exe 33 PID 2640 wrote to memory of 600 2640 xjlvlhd.exe 9 PID 600 wrote to memory of 1572 600 svchost.exe 35 PID 600 wrote to memory of 1572 600 svchost.exe 35 PID 600 wrote to memory of 1572 600 svchost.exe 35 PID 2640 wrote to memory of 1196 2640 xjlvlhd.exe 21 PID 2640 wrote to memory of 268 2640 xjlvlhd.exe 36 PID 2640 wrote to memory of 268 2640 xjlvlhd.exe 36 PID 2640 wrote to memory of 268 2640 xjlvlhd.exe 36 PID 2640 wrote to memory of 268 2640 xjlvlhd.exe 36 PID 2640 wrote to memory of 2492 2640 xjlvlhd.exe 38 PID 2640 wrote to memory of 2492 2640 xjlvlhd.exe 38 PID 2640 wrote to memory of 2492 2640 xjlvlhd.exe 38 PID 2640 wrote to memory of 2492 2640 xjlvlhd.exe 38 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39 PID 2492 wrote to memory of 1636 2492 xjlvlhd.exe 39
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:1572
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe"C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exeC:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9C7FDADA-35B3-4460-B37D-C131F18B845D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exeC:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exeC:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe"C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\xjlvlhd.exeC:\Users\Admin\AppData\Local\Temp\xjlvlhd.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD5b7e74f18fbe4c22203ef920c56b62aad
SHA1a03874923f4a7b582f1d21e1ec35c6d50de9c2c1
SHA2566ede22127e58f6d197922f72748f735c6b417e85276bd646aea9df93409210f1
SHA512e1066789e81511c39af54f5b622d4994e1a81db54c6c7cada204066fd0be57658825ddc9035f3ce769e385c9fef11b7de9f06b03556e90aa0a0c3267b91b8740
-
Filesize
654B
MD51b1d1d923ada93f3d904e9a069595790
SHA1c79888baadf1be6e0e4ae3780663202d50b7fe11
SHA25655b10cb01d05c1205d0c97fb6727ea4c13c885992eb240d6ea46224c03d8016f
SHA51246827d44a3bde51019e515578cac8b8dc3020630e27cd1a7f00f1e142a084414df1d829e6175ed60bff51431a224aa30e13d3ebbad7fcd5c814d17c1d8a09aa1
-
Filesize
654B
MD5249791500e858782691b207eeb1bb49a
SHA1e36fbb4699baf5174cf7ce4e95bb8e6c9e61b5fc
SHA256915b66ed9e342a219ea0fabf1c78bb1cb7de35d9990e5ab55d017c9761637074
SHA512aef5cbe63b590b8d9574decad3d63854743417a2f8e4a5899b21492a034e730ddae35eed0691c657f2cf358daf3f623b30c905053a4b0749fc32fc91c5f09b05
-
Filesize
63KB
MD5e31833b1effcc9575c4c3d36a6f46a13
SHA1867e713701274969f8b5339e1fedc3ab508918a5
SHA256f00129bd1fa87ae21a1bcad8d773179150169b2b823e093c5ccabcdc7cc1ab0b
SHA51206bb374655a93df207ea68e11ced8903902efecb324635de2df47fb8fde2a22eaf3e38c3c19a9d5b0c26f3ed547328c84c0f2ae38c6ebee9b1e4d356b7d48a83
-
Filesize
728KB
MD5c55825824295fb010050e0a8929088dd
SHA1e3047fa2e4128af1ca2cd5a854a9772421ab185e
SHA2560a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86
SHA5127be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8
-
Filesize
853KB
MD573aff8c1c8ddb96a655ed4b9335679c6
SHA1acfb006e56d1fad3989278e5a169bdf8c2c4c917
SHA2569ad69e81bc46f104f12d8fdf2a0b65969b5c1364cf7a4b54d8b0b61da8cc1ab4
SHA512b1d77167c05b0b9582a8ebc35f4bbb967c75cb825688772c2684bb7340b5ff18567ad7d77cf668acb1bbbe726f448940f45fa99f662ce84bf6174723fbfd364e