Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

05/02/2025, 11:06

250205-m7gf3svpcl 10

25/11/2024, 01:10

241125-bjt7gswjcj 10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 11:06

General

  • Target

    ransom/Build/LB3.exe

  • Size

    145KB

  • MD5

    b2cb742a43762106fc03fa1e26fd4f68

  • SHA1

    aef4e9199b06b835b6e677c0910d3ed6fdf96ef3

  • SHA256

    f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611

  • SHA512

    d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975

  • SSDEEP

    3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD

Malware Config

Signatures

  • Renames multiple (356) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe
    C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe dsrm -subtree -noprompt -c user"http://+:443"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\ProgramData\FA66.tmp
      "C:\ProgramData\FA66.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FA66.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1540
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini

      Filesize

      129B

      MD5

      764105f82149f12fa97003fb1d7956d7

      SHA1

      d8f539e68926e7ebd9d883ee36369503dd4908b8

      SHA256

      f6ecbcbd109866bbeb40f08f8bccea9019b1b1d6f356eb90ec7dfa49553e51d8

      SHA512

      2e486ce1e22fbb4a62e7f6e1d18f8b329480a33313b9412ffa937366ca02225e0017b96ec43ddb275c7abef28b1ba86b14fb6ec5f2be17b3c4f70893f1fc4a2a

    • C:\BNzPckH0e.README.txt

      Filesize

      93B

      MD5

      eaebdbc14b3c2ecdcec757fc361f5589

      SHA1

      02ec5589c9f3c671c464671faaf1b8343d849490

      SHA256

      0f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da

      SHA512

      14f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f

    • C:\Users\Admin\AppData\Local\Temp\ransom\Build\DDDDDDD

      Filesize

      145KB

      MD5

      2273482adead36346442411e730a6b67

      SHA1

      8fe5689de7692f12073031275ba8b6251d97af95

      SHA256

      a8287d64295b8e3a0be665f1838421a0d9368b4ea319c02ea7a3761bb89c5f25

      SHA512

      887a2c57c0a44b54139cfa39add3bd753c4e21197ef942a5278bba4dc91d1ab3f03c934e2d22d4e75804b121907547103e88ef8481f6c40dbb3a37107f59528d

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\FFFFFFFFFFF

      Filesize

      129B

      MD5

      1321dbbb5d831690aec76cfdbad12710

      SHA1

      b62c9d078e765cab4c1d6a846736d58674defb21

      SHA256

      815443b4abb5b18234d222e66b59918ca069f721a0c52ae2a7596021874e9085

      SHA512

      acfb1eee2b30d87801c9c846e6617f91a4c898c5892c29a8b061a6d20c5fa76b3a072244fa4a288acbf83eba579de2ed0d0ca7a7d1ed6344f25c045a4d52571b

    • \ProgramData\FA66.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/2376-893-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/2376-895-0x0000000000280000-0x00000000002C0000-memory.dmp

      Filesize

      256KB

    • memory/2376-897-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2376-896-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/2376-927-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/2376-926-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2436-0-0x0000000000380000-0x00000000003C0000-memory.dmp

      Filesize

      256KB