Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 14:21

General

  • Target

    Lockbit-Ransomware-Builder-main/KeyGen.exe

  • Size

    146KB

  • MD5

    39c9477cf131ca5ccc05c8871c0e10e6

  • SHA1

    07b2581b2cb41053d09c4bb896aaabc1d28f2a7b

  • SHA256

    939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb

  • SHA512

    689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129

  • SSDEEP

    1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT

Malware Config

Signatures

  • Renames multiple (633) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe
    "C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\KeyGen.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2204
    • C:\ProgramData\F3A8.tmp
      "C:\ProgramData\F3A8.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F3A8.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1352
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4496
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2D1D0379-2C92-476F-A337-872B18538995}.xps" 133771044971560000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\UUUUUUUUUUU

      Filesize

      129B

      MD5

      694dda34207c222cc57c22611b7f57ee

      SHA1

      7832c394ee2f9d603bb75c8a02698b04fa9a1d6e

      SHA256

      200e569921e603cf6d226aa7f6f106e3671a3560ae64e558309cfe9e38ee308b

      SHA512

      52cd5ff29e7bd5ca80b8d9b5f09373db5446cd3bda606baf1cb6cc346470610eb8df82ed545b70a8aba60dc51b9a21056d437a057e5d4bf49bb6ba157a08bb57

    • C:\1pvSvxmZY.README.txt

      Filesize

      348B

      MD5

      9810eed5ecd966874ebeb398ac6531ed

      SHA1

      17d2e2bc15df652734b79185cb323e652559fd6a

      SHA256

      53183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e

      SHA512

      b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79

    • C:\ProgramData\F3A8.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\Lockbit-Ransomware-Builder-main\BBBBBBBBBB

      Filesize

      146KB

      MD5

      fbf55bc0d705b30bb0002c279dd1d31f

      SHA1

      d2aa0216710e7de9fa8014b55e56c01288ce2bf8

      SHA256

      bee433ae6c1ea7c42762811b77980bd9933599e462e00af20fe286461cf2068b

      SHA512

      019d09002e2cd9bc971934a2495fce31e3af80e79cf9f067bffe16426b9726302da41e631dbadb4cf1ff884016c96d9c64771ee7ca3a594547645105664c0a96

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      4e21b3df103ae131931ea2a8276582b1

      SHA1

      47ab128cf3c39a1220858d2906eae7d0caeb8b1d

      SHA256

      85a470a4da8027d44fef24d8f099de2cb64ec4640c41a7520f122402ae8da3fe

      SHA512

      7c43bec171901e409af276eb7af897e089f9a3a0004fa0511b215f0b973e7adad4980853b61c34312bc85b04db3473f5ecaa473c5a8255ed1d91b31947c4d6c8

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      d00cd9b1f789d4956b3ff06d1e81a565

      SHA1

      60d15bdbe108aaf64d175770293b2a74a464bd9f

      SHA256

      3f6bc6040f9e738215c2ed075383f31735ac2e69955467db2b4243535a236384

      SHA512

      01a5ab272071f77402dd02d4d184b626203868d061096ffa0abccb7bafbe3e5e3f565e8105b7c96f4a056223a8942291f846e25087797f7955da749ee21781cd

    • memory/980-2829-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

      Filesize

      64KB

    • memory/980-2826-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

      Filesize

      64KB

    • memory/980-2828-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

      Filesize

      64KB

    • memory/980-2827-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

      Filesize

      64KB

    • memory/980-2830-0x00007FF9FF570000-0x00007FF9FF580000-memory.dmp

      Filesize

      64KB

    • memory/980-2845-0x00007FF9FCEE0000-0x00007FF9FCEF0000-memory.dmp

      Filesize

      64KB

    • memory/980-2864-0x00007FF9FCEE0000-0x00007FF9FCEF0000-memory.dmp

      Filesize

      64KB

    • memory/1768-2812-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

    • memory/1768-2813-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

    • memory/1768-2-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

    • memory/1768-2814-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

    • memory/1768-0-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

    • memory/1768-1-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB