Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 14:19

General

  • Target

    9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe

  • Size

    612KB

  • MD5

    d6b5b3d0a17b1f347665d4e55f8b3df0

  • SHA1

    205749f118c2ca5cb822556e6f50ca86c3ee78b3

  • SHA256

    9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cf

  • SHA512

    6dccfca6772e302a4abbddaefcdaad718c106005b7d627a0a6ca91c3325355448ce43432bef8f3229c7c35bcb8c28b1bc8a8dbb670d53ba842b9430c4b2015df

  • SSDEEP

    12288:k1XgVeBOuW1cLcOtoqSuL0xkpPc9EcgyCBUxaNH3bCdGP/g7i7s:k1XgVeBOuW1cLcOtoqmkpP91bCdk/Fs

Malware Config

Extracted

Path

C:\#HowToRecover.txt

Ransom Note
Your Files Have Been Encrypted! Attention! All your important files have been stolen and encrypted by our advanced attack. Without our special decryption software, theres no way to recover your data! Your ID: [ 79366A5B-1337 ] To restore your files, reach out to us at: [email protected] You can also contact us via Telegram: @Hedaransom Failing to act may result in sensitive company data being leaked or sold. Do NOT use third-party tools, as they may permanently damage your files. Why Trust Us? Before making any payment, you can send us few files for free decryption test. Our business relies on fulfilling our promises. How to Buy Bitcoin? You can purchase Bitcoin to pay the ransom using these trusted platforms: https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/en-gb/how-to-buy/bitcoin https://paxful.com
URLs

https://paxful.com

Signatures

  • Renames multiple (7752) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
        3⤵
          PID:2212
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
          3⤵
            PID:2632
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
            3⤵
              PID:108
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
              3⤵
                PID:2576
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
                3⤵
                  PID:2840
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2460
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
                  3⤵
                    PID:988
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1620
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
                    3⤵
                      PID:1656
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2004
                    • C:\Windows\System32\wbem\WMIC.exe
                      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
                      3⤵
                        PID:808
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:664
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
                        3⤵
                          PID:1572
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
                        2⤵
                          PID:2464
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
                            3⤵
                              PID:2084
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
                            2⤵
                              PID:1696
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
                                3⤵
                                  PID:2476
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
                                2⤵
                                  PID:1732
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
                                    3⤵
                                      PID:1252
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
                                    2⤵
                                      PID:2008
                                      • C:\Windows\System32\wbem\WMIC.exe
                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
                                        3⤵
                                          PID:1124
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
                                        2⤵
                                          PID:692
                                          • C:\Windows\System32\wbem\WMIC.exe
                                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
                                            3⤵
                                              PID:2604
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
                                            2⤵
                                              PID:1060
                                              • C:\Windows\System32\wbem\WMIC.exe
                                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
                                                3⤵
                                                  PID:296
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
                                                2⤵
                                                  PID:1412
                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
                                                    3⤵
                                                      PID:716
                                                  • C:\Windows\system32\WerFault.exe
                                                    C:\Windows\system32\WerFault.exe -u -p 2208 -s 628
                                                    2⤵
                                                      PID:2008
                                                  • C:\Windows\system32\vssvc.exe
                                                    C:\Windows\system32\vssvc.exe
                                                    1⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2928

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\#HowToRecover.txt

                                                    Filesize

                                                    871B

                                                    MD5

                                                    e6e8bd3a31703b45fbef54610e003704

                                                    SHA1

                                                    1aa559d72445e32dd99fb4e2e04bfa085bced575

                                                    SHA256

                                                    275a641e27e9d67840dff6f0b759493a8abba39beb3a160c89ea50d260db25e4

                                                    SHA512

                                                    bdc9ddd99f6166b6b1b40eb617344286beb64c896e2aad0aa1d6fc35c2bab3ae006c4b501742166b74fd178d12b0e7a660f2f0d4a7a176ff4908e92b905fa445