Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
29/12/2024, 04:36 UTC
General
-
Target
48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe
-
Size
959KB
-
MD5
aae021c0f8b3d4d319235d1025c1f35d
-
SHA1
c0893afb208b4ae591e8bf130b5c2077771e7706
-
SHA256
48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037
-
SHA512
f3fcf2d08fca0a679e08de4912dd4cca5f2aa4af3d500702568c7e6bb53680bfd7dac991126a8cf47faf0d2f8f067a50d123568b5c2a85811e347a0da62855df
-
SSDEEP
24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdGF:Ujrc2So1Ff+B3k796o
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
Ransom Note
LockBit 2.0 Ransomware
Your data are stolen and encrypted
The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
You can contact us and decrypt one file for free on these TOR sites
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
OR
https://decoding.at
Decryption ID: C9429E1B932B36E8933A61D9B7B1BDAD
URLs
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe"C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 11362⤵
- Program crash
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
- No results found
-
10.127.0.1:135 -
10.127.0.1:445
-
10.127.0.0:135
-
10.127.0.0:445
-
10.127.0.2:135
-
10.127.0.2:445
-
10.127.0.3:135
-
10.127.0.3:445
-
10.127.0.4:135
-
10.127.0.4:445
-
10.127.0.5:135
-
10.127.0.5:445
-
10.127.0.6:135
-
10.127.0.6:445
-
10.127.0.7:135
-
10.127.0.7:445
-
10.127.0.8:135
-
10.127.0.8:445
-
10.127.0.9:135
-
10.127.0.9:445
-
10.127.0.10:135
-
10.127.0.10:445
-
10.127.0.11:135
-
10.127.0.11:445
-
10.127.0.12:135
-
10.127.0.12:445
-
10.127.0.13:135
-
10.127.0.13:445
-
10.127.0.14:135
-
10.127.0.14:445
-
10.127.0.15:135
-
10.127.0.15:445
-
10.127.0.16:135
-
10.127.0.16:445
-
10.127.0.17:135
-
10.127.0.17:445
-
10.127.0.18:135
-
10.127.0.18:445
-
10.127.0.19:135
-
10.127.0.19:445
-
10.127.0.20:135
-
10.127.0.20:445
-
10.127.0.21:135
-
10.127.0.21:445
-
10.127.0.22:135
-
10.127.0.22:445
-
10.127.0.23:135
-
10.127.0.23:445
-
10.127.0.24:135
-
10.127.0.24:445
-
10.127.0.25:135
-
10.127.0.25:445
-
10.127.0.26:135
-
10.127.0.26:445
-
10.127.0.27:135
-
10.127.0.27:445
-
10.127.0.28:135
-
10.127.0.28:445
-
10.127.0.29:135
-
10.127.0.29:445
-
10.127.0.30:135
-
10.127.0.30:445
-
10.127.0.31:135
-
10.127.0.31:445
-
10.127.0.32:135
-
10.127.0.32:445
-
10.127.0.33:135
-
10.127.0.33:445
-
10.127.0.34:135
-
10.127.0.34:445
-
10.127.0.35:135
-
10.127.0.35:445
-
10.127.0.36:135
-
10.127.0.36:445
-
10.127.0.37:135
-
10.127.0.37:445
-
10.127.0.38:135
-
10.127.0.38:445
-
10.127.0.39:135
-
10.127.0.39:445
-
10.127.0.40:135
-
10.127.0.40:445
-
10.127.0.41:135
-
10.127.0.41:445
-
10.127.0.42:135
-
10.127.0.42:445
-
10.127.0.43:135
-
10.127.0.43:445
-
10.127.0.44:135
-
10.127.0.44:445
-
10.127.0.45:135
-
10.127.0.45:445
-
10.127.0.46:135
-
10.127.0.46:445
-
10.127.0.47:135
-
10.127.0.47:445
-
10.127.0.48:135
-
10.127.0.48:445
-
10.127.0.49:135
-
10.127.0.49:445
-
10.127.0.50:135
-
10.127.0.50:445
-
10.127.0.51:135
-
10.127.0.51:445
-
10.127.0.52:135
-
10.127.0.52:445
-
10.127.0.53:135
-
10.127.0.53:445
-
10.127.0.54:135
-
10.127.0.54:445
-
10.127.0.55:135
-
10.127.0.55:445
-
10.127.0.56:135
-
10.127.0.56:445
-
10.127.0.57:135
-
10.127.0.57:445
-
10.127.0.58:135
-
10.127.0.58:445
-
10.127.0.59:135
-
10.127.0.59:445
-
10.127.0.60:135
-
10.127.0.60:445
-
10.127.0.61:135
-
10.127.0.61:445
-
10.127.0.62:135
-
10.127.0.62:445
-
10.127.0.63:135
-
10.127.0.63:445
-
10.127.0.64:135
-
10.127.0.64:445
-
10.127.0.65:135
-
10.127.0.65:445
-
10.127.0.66:135
-
10.127.0.66:445
-
10.127.0.67:135
-
10.127.0.67:445
-
10.127.0.68:135
-
10.127.0.68:445
-
10.127.0.69:135
-
10.127.0.69:445
-
10.127.0.70:135
-
10.127.0.70:445
-
10.127.0.71:135
-
10.127.0.71:445
-
10.127.0.72:135
-
10.127.0.72:445
-
10.127.0.73:135
-
10.127.0.73:445
-
10.127.0.74:135
-
10.127.0.74:445
-
10.127.0.75:135
-
10.127.0.75:445
-
10.127.0.76:135
-
10.127.0.76:445
-
10.127.0.77:135
-
10.127.0.77:445
-
10.127.0.78:135
-
10.127.0.78:445
-
10.127.0.79:135
-
10.127.0.79:445
-
10.127.0.80:135
-
10.127.0.80:445
-
10.127.0.81:135
-
10.127.0.81:445
-
10.127.0.82:135
-
10.127.0.82:445
-
10.127.0.83:135
-
10.127.0.83:445
-
10.127.0.84:135
-
10.127.0.84:445
-
10.127.0.85:135
-
10.127.0.85:445
-
10.127.0.86:135
-
10.127.0.86:445
-
10.127.0.87:135
-
10.127.0.87:445
-
10.127.0.88:135
-
10.127.0.88:445
-
10.127.0.89:135
-
10.127.0.89:445
-
10.127.0.90:135
-
10.127.0.90:445
-
10.127.0.91:135
-
10.127.0.91:445
-
10.127.0.92:135
-
10.127.0.92:445
-
10.127.0.93:135
-
10.127.0.93:445
-
10.127.0.94:135
-
10.127.0.94:445
-
10.127.0.95:135
-
10.127.0.95:445
-
10.127.0.96:135
-
10.127.0.96:445
-
10.127.0.97:135
-
10.127.0.97:445
-
10.127.0.98:135
-
10.127.0.98:445
-
10.127.0.99:135
-
10.127.0.99:445
-
10.127.0.100:135
-
10.127.0.100:445
-
10.127.0.101:135
-
10.127.0.101:445
-
10.127.0.102:135
-
10.127.0.102:445
-
10.127.0.103:135
-
10.127.0.103:445
-
10.127.0.104:135
-
10.127.0.104:445
-
10.127.0.105:135
-
10.127.0.105:445
-
10.127.0.106:135
-
10.127.0.106:445
-
10.127.0.107:135
-
10.127.0.107:445
-
10.127.0.108:135
-
10.127.0.108:445
-
10.127.0.109:135
-
10.127.0.109:445
-
10.127.0.110:135
-
10.127.0.110:445
-
10.127.0.111:135
-
10.127.0.111:445
-
10.127.0.112:135
-
10.127.0.112:445
-
10.127.0.113:135
-
10.127.0.113:445
-
10.127.0.114:135
-
10.127.0.114:445
-
10.127.0.115:135
-
10.127.0.115:445
-
10.127.0.116:135
-
10.127.0.116:445
-
10.127.0.117:135
-
10.127.0.117:445
-
10.127.0.118:135
-
10.127.0.118:445
-
10.127.0.119:135
-
10.127.0.119:445
-
10.127.0.120:135
-
10.127.0.120:445
-
10.127.0.121:135
-
10.127.0.121:445
-
10.127.0.122:135
-
10.127.0.122:445
-
10.127.0.123:135
-
10.127.0.123:445
-
10.127.0.124:135
-
10.127.0.124:445
-
10.127.0.125:135
-
10.127.0.125:445
-
10.127.0.126:135
-
10.127.0.126:445
-
10.127.0.127:135
-
10.127.0.127:445
-
10.127.0.128:135
-
10.127.0.128:445
-
10.127.0.129:135
-
10.127.0.129:445
-
10.127.0.130:135
-
10.127.0.130:445
-
10.127.0.131:135
-
10.127.0.131:445
-
10.127.0.132:135
-
10.127.0.132:445
-
10.127.0.133:135
-
10.127.0.133:445
-
10.127.0.134:135
-
10.127.0.134:445
-
10.127.0.135:135
-
10.127.0.135:445
-
10.127.0.136:135
-
10.127.0.136:445
-
10.127.0.137:135
-
10.127.0.137:445
-
10.127.0.138:135
-
10.127.0.138:445
-
10.127.0.139:135
-
10.127.0.139:445
-
10.127.0.140:135
-
10.127.0.140:445
-
10.127.0.141:135
-
10.127.0.141:445
-
10.127.0.142:135
-
10.127.0.142:445
-
10.127.0.143:135
-
10.127.0.143:445
-
10.127.0.144:135
-
10.127.0.144:445
-
10.127.0.145:135
-
10.127.0.145:445
-
10.127.0.146:135
-
10.127.0.146:445
-
10.127.0.147:135
-
10.127.0.147:445
-
10.127.0.148:135
-
10.127.0.148:445
-
10.127.0.149:135
-
10.127.0.149:445
-
10.127.0.150:135
-
10.127.0.150:445
-
10.127.0.151:135
-
10.127.0.151:445
-
10.127.0.152:135
-
10.127.0.152:445
-
10.127.0.153:135
-
10.127.0.153:445
-
10.127.0.154:135
-
10.127.0.154:445
-
10.127.0.155:135
-
10.127.0.155:445
-
10.127.0.156:135
-
10.127.0.156:445
-
10.127.0.157:135
-
10.127.0.157:445
-
10.127.0.158:135
-
10.127.0.158:445
-
10.127.0.159:135
-
10.127.0.159:445
-
10.127.0.160:135
-
10.127.0.160:445
-
10.127.0.161:135
-
10.127.0.161:445
-
10.127.0.162:135
-
10.127.0.162:445
-
10.127.0.163:135
-
10.127.0.163:445
-
10.127.0.164:135
-
10.127.0.164:445
-
10.127.0.165:135
-
10.127.0.165:445
-
10.127.0.166:135
-
10.127.0.166:445
-
10.127.0.167:135
-
10.127.0.167:445
-
10.127.0.168:135
-
10.127.0.168:445
-
10.127.0.169:135
-
10.127.0.169:445
-
10.127.0.170:135
-
10.127.0.170:445
-
10.127.0.171:135
-
10.127.0.171:445
-
10.127.0.172:135
-
10.127.0.172:445
-
10.127.0.173:135
-
10.127.0.173:445
-
10.127.0.174:135
-
10.127.0.174:445
-
10.127.0.175:135
-
10.127.0.175:445
-
10.127.0.176:135
-
10.127.0.176:445
-
10.127.0.177:135
-
10.127.0.177:445
-
10.127.0.178:135
-
10.127.0.178:445
-
10.127.0.179:135
-
10.127.0.179:445
-
10.127.0.180:135
-
10.127.0.180:445
-
10.127.0.181:135
-
10.127.0.181:445
-
10.127.0.182:135
-
10.127.0.182:445
-
10.127.0.183:135
-
10.127.0.183:445
-
10.127.0.184:135
-
10.127.0.184:445
-
10.127.0.185:135
-
10.127.0.185:445
-
10.127.0.186:135
-
10.127.0.186:445
-
10.127.0.187:135
-
10.127.0.187:445
-
10.127.0.188:135
-
10.127.0.188:445
-
10.127.0.189:135
-
10.127.0.189:445
-
10.127.0.190:135
-
10.127.0.190:445
-
10.127.0.191:135
-
10.127.0.191:445
-
10.127.0.192:135
-
10.127.0.192:445
-
10.127.0.193:135
-
10.127.0.193:445
-
10.127.0.194:135
-
10.127.0.194:445
-
10.127.0.195:135
-
10.127.0.195:445
-
10.127.0.196:135
-
10.127.0.196:445
-
10.127.0.197:135
-
10.127.0.197:445
-
10.127.0.198:135
-
10.127.0.198:445
-
10.127.0.199:135
-
10.127.0.199:445
-
10.127.0.200:135
-
10.127.0.200:445
-
10.127.0.201:135
-
10.127.0.201:445
-
10.127.0.202:135
-
10.127.0.202:445
-
10.127.0.203:135
-
10.127.0.203:445
-
10.127.0.204:135
-
10.127.0.204:445
-
10.127.0.205:135
-
10.127.0.205:445
-
10.127.0.206:135
-
10.127.0.206:445
-
10.127.0.207:135
-
10.127.0.207:445
-
10.127.0.208:135
-
10.127.0.208:445
-
10.127.0.209:135
-
10.127.0.209:445
-
10.127.0.210:135
-
10.127.0.210:445
-
10.127.0.211:135
-
10.127.0.211:445
-
10.127.0.212:135
-
10.127.0.212:445
-
10.127.0.213:135
-
10.127.0.213:445
-
10.127.0.214:135
-
10.127.0.214:445
-
10.127.0.215:135
-
10.127.0.215:445
-
10.127.0.216:135
-
10.127.0.216:445
-
10.127.0.217:135
-
10.127.0.217:445
-
10.127.0.218:135
-
10.127.0.218:445
-
10.127.0.219:135
-
10.127.0.219:445
-
10.127.0.220:135
-
10.127.0.220:445
-
10.127.0.221:135
-
10.127.0.221:445
-
10.127.0.222:135
-
10.127.0.222:445
-
10.127.0.223:135
-
10.127.0.223:445
-
10.127.0.224:135
-
10.127.0.224:445
-
10.127.0.225:135
-
10.127.0.225:445
-
10.127.0.226:135
-
10.127.0.226:445
-
10.127.0.227:135
-
10.127.0.227:445
-
10.127.0.228:135
-
10.127.0.228:445
-
10.127.0.229:135
-
10.127.0.229:445
-
10.127.0.230:135
-
10.127.0.230:445
-
10.127.0.231:135
-
10.127.0.231:445
-
10.127.0.232:135
-
10.127.0.232:445
-
10.127.0.233:135
-
10.127.0.233:445
-
10.127.0.234:135
-
10.127.0.234:445
-
10.127.0.235:135
-
10.127.0.235:445
-
10.127.0.236:135
-
10.127.0.236:445
-
10.127.0.237:135
-
10.127.0.237:445
-
10.127.0.238:135
-
10.127.0.238:445
-
10.127.0.239:135
-
10.127.0.239:445
-
10.127.0.240:135
-
10.127.0.240:445
-
10.127.0.241:135
-
10.127.0.241:445
-
10.127.0.242:135
-
10.127.0.242:445
-
10.127.0.243:135
-
10.127.0.243:445
-
10.127.0.244:135
-
10.127.0.244:445
-
10.127.0.245:135
-
10.127.0.245:445
-
10.127.0.246:135
-
10.127.0.246:445
-
10.127.0.247:135
-
10.127.0.247:445
-
10.127.0.248:135
-
10.127.0.248:445
-
10.127.0.249:135
-
10.127.0.249:445
No results found
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a9865ed2311151ae87b7bca9015a5035
SHA15d0087fe9cb4ca38fe3dd53fb6edb46a3d39ef66
SHA256437d9a94ef490cedc8cb7c86a0525e529b5d41d52fef3b8e0eaad31e37d44de1
SHA51265e4e244e61a1955cb80b6e42cfa1cdf813217747e5c21c16e491a32a4af310e48e95d89f20aba8ebbe9081207f77aba9bd27812192c3732f2c315c88e64e0c1