Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/02/2025, 00:12

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: q3PQxXVIpq5FvikNyt9vzcdci4S8GjnwsTuKTM/tFVuHmaiuQQf31RtG0m6YZW//kb7X01RpGf1SWUjLcDyhY+cOzV8EELeXBjD+/QooD7W5JesaAGGHPYmmTc48Ko2Mnv6AD+gaeQWVmbBRMa6QdXNGDRcCZZ+QTIfwVqZQUkK9wkvD9HWldEMEedCOgZnJ5BZs1JoXcf8k6bE0mGnSwfKXF/5P9XSz1bdy0gX1dxt1uku6LaUB0V2+Or2xSH99bxZWI217plm3ax+k0kFqWieAHT3YgyT+gAa3FRQoblhZNIsZvMt3VRfBHc7OqVgSHm7hsapiGlnjRl16gKv12Rga3+YvVk/FJL7m3xxSJHjOvJ77Vn7Ph0E5LobrP49ftxI9mIn0zr8F4t9S2+n+qKHkPhEp0nSRS1soX4hqj/MOG2PwSFItYGNPmWcdnq5qj6TBmkrBzgWw0f7/tWzcoWtmTyPWn/ksNcvehlfAvNghddqceyYiSIA9jFMzb1uzSZ0HGn2rM7LsJSp+yO8hFobTFWWqUCfLY+qVsKY842xBIwNFuvM4rV9yliYdqEAsbbuieOs1MYhCs1tSzhAFwnOzBimYx3JZ6eaH1AOkAdgWjuEHM8WvJiLRHB7YYnshu6fkJpnsBGZSoLaJGiVTCspqF3pXZ9cMSS2IYOvfbio= Number of files that were processed is: 484

Signatures

  • Disables service(s) 3 TTPs
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Hakbit family
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 47 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:1516
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:1788
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:2116
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:2100
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      2⤵
      • Kills process with taskkill
      PID:2976
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:572
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1228
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3576
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:572
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:3528
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3980
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:3360
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
          2⤵
          • Deletes itself
          PID:2600
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:3688
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnprotectTest.mp4.energy[[email protected]]
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1032
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:3128
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\VcMedia.rar
          1⤵
          • Modifies registry class
          PID:2696
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          PID:2312
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74d9758,0x7fef74d9768,0x7fef74d9778
            2⤵
              PID:1712

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]

            Filesize

            4KB

            MD5

            3ec577f18db2c0965da13339aaafcc98

            SHA1

            82db7e6fb4bca0e9d519a82f08a009bbb79cfbce

            SHA256

            c078c0613697e63b35da641bb5e62be7c56069fb8577f5e03266edf442c79d46

            SHA512

            18df7cd831d65fe08c16fb94e06e592818fd76f95821975efb1232f63c340955c215ffc8d7575f669fbd7c679de1efaba30777f15a6e8fd2758f9abd474d32a9

          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

            Filesize

            180KB

            MD5

            53391e50f5842732fb810c20bfeda978

            SHA1

            0856b811c7dd49eb60ff4620e45abc793b1408c8

            SHA256

            ec13ca14b6e847ae6bd6d0dcfd6cae236d86ec4655ca5a83c51b6ab42ae65b03

            SHA512

            756d86ecfc4fbc0bd3e4c3391dcddbaee56e6db91fdec38130d8a12241a181ba3231a94bc48353c900e225cd6d6894ff95b947a27017579d8796bc75e8286ff1

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            02d351c55ea8b84bbe215faf7a417bd0

            SHA1

            57aa7fae5a2ff1f19d6d833c192ec4856ef61fe5

            SHA256

            3520e45f487e72a9dd8151d01f9d3395fea8a756661196d1d71b30df8883d864

            SHA512

            e01e9b2df8dc800b3336715c2189049c0d38ed9cdcb60efeee4079f1f9c4bfb68e1263087c1bdf2cd69fa220c594952bac306238cea89708013607a9d192bb93

          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

            Filesize

            828B

            MD5

            d76270c5de853d93bfca190c720190e5

            SHA1

            766a13ab5111cc11fbf402c36e49daf0e1f03cb9

            SHA256

            ac611486579262f85e4bd6c6d2c4aafa19e9eb74754b521f6a7aa87cbb0c69f6

            SHA512

            9124aca74bbceb2c95e089849be887d4c5b4af98a2abc5a6bf8fec86534a4805cc239df458f8a2c07ed5b6db0ce7df63eec89a9771d437ef4f5b5b42bfd55e1d

          • memory/2436-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

            Filesize

            4KB

          • memory/2436-1-0x0000000000030000-0x000000000004A000-memory.dmp

            Filesize

            104KB

          • memory/2436-3-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

            Filesize

            9.9MB

          • memory/2436-151-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

            Filesize

            4KB

          • memory/2436-275-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

            Filesize

            9.9MB

          • memory/2436-605-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

            Filesize

            9.9MB

          • memory/3576-22-0x000000001B770000-0x000000001BA52000-memory.dmp

            Filesize

            2.9MB

          • memory/3576-23-0x0000000001F80000-0x0000000001F88000-memory.dmp

            Filesize

            32KB