Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 12:39

General

  • Target

    0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe

  • Size

    612KB

  • MD5

    412ce7c1f8dd5dcfafb5c3af08297c65

  • SHA1

    fd98960ab8e7bfe92fc566237be4bc433332c3f3

  • SHA256

    0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328

  • SHA512

    10e654df43c193ae7786848093967092b0f7fc1bf61ef55e2edf77347acc029ee8dcce9c64a64922f846bcea0b33307e6dabd54ba196f0f2f027a88f3e213748

  • SSDEEP

    12288:/lTMgGurXwc8Xq1m3fdjQU+v4PN/CnBMj5qJwhq92hyuZCZh06H4FCd:/lTMgBrXwc8Xq1Cfdj/PN/IWyuZ+h

Malware Config

Extracted

Path

C:\#HowToRecover.txt

Ransom Note
Your Files Have Been Encrypted! Attention! All your important files have been stolen and encrypted by our advanced attack. Without our special decryption software, theres no way to recover your data! Your ID: [ E8330FE1-1337 ] To restore your files, reach out to us at: [email protected] You can also contact us via Telegram: @Hedaransom Failing to act may result in sensitive company data being leaked or sold. Do NOT use third-party tools, as they may permanently damage your files. Why Trust Us? Before making any payment, you can send us few files for free decryption test. Our business relies on fulfilling our promises. How to Buy Bitcoin? You can purchase Bitcoin to pay the ransom using these trusted platforms: https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/en-gb/how-to-buy/bitcoin https://paxful.com
URLs

https://paxful.com

Signatures

  • Renames multiple (6530) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
    "C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C34AFC3-3DC2-47A5-B6BD-87F57D084FBB}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C34AFC3-3DC2-47A5-B6BD-87F57D084FBB}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:756
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\#HowToRecover.txt

    Filesize

    871B

    MD5

    83f8bacb8f86e7e33ce04386ce1c9228

    SHA1

    6812db951e3094ac5dd7ee9791c6b6b7dc07b003

    SHA256

    b8ffd1c3f47e917c996bce4de87b4bc54f9f302366bbd84ab82af1631a778768

    SHA512

    ebacb4c6702e00efe00be5fc79f76c73079801286c7b70a6cfaef08b591666854ca693113fa9e0b2a25f8ee62b7de13d937b9b7f5739023a498f2ef669e6ae28