Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

brain.exe

windows7-x64

10

brain.exe

windows10-2004-x64

10

Resubmissions

26/02/2025, 22:29

250226-2epdjsvygx 10

26/02/2025, 21:48

250226-1nyg5stzdt 10

21/02/2025, 20:45

250221-zjsweszqar 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/02/2025, 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brain.exe

  • Size

    147KB

  • MD5

    448f1796fe8de02194b21c0715e0a5f6

  • SHA1

    935c0b39837319fda571aa800b67d997b79c3198

  • SHA256

    eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12

  • SHA512

    0b93b2c881b1351ff688089abf12bbfcff279c5d6ca8733d6d821c83148d73c85cfedf5ab5bc02c2145970124b518551db3a9fc701d8084f01009ae20f71a831

  • SSDEEP

    3072:l6glyuxE4GsUPnliByocWep0yjEJ3hDRMK89nB2:l6gDBGpvEByocWeebbMjV4

Score
10/10
braincipherdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\sYMY1N6ah.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: M8AL5cWJEU5CnMMPwCdt4x9NVn0ZY2uNtIgnKwkDJwdPbnanVROYFzGmgUCImexTGDmINYgSZXdlhM7D199lNMb294TGY2 Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Brain Cipher

    Ransomware family based on Lockbit that was first observed in June 2024.

    ransomwarebraincipher
  • Braincipher family
    braincipher
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brain.exe
    "C:\Users\Admin\AppData\Local\Temp\brain.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\ProgramData\D7E8.tmp
      "C:\ProgramData\D7E8.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D7E8.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2172
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini
      Filesize

      129B

      MD5

      7fc1744d93ddf0c154b67f2cc1d36f25

      SHA1

      7e6f93c414036b340b4b1a3f74c413b0bc632f95

      SHA256

      118d622680c0fcdb315e40bcd9d0de57fe73b518639d689ade3bf4b996a72c4b

      SHA512

      97dd845d38ed3e694e57deb651fd42b7ffad9923ee2ec3c084784638b0a1f88dadb8fd882c811fe00722e971e04389fa7e5c21da56d92f63775112514b3254aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDD
      Filesize

      147KB

      MD5

      f1a3da0c7f215b7a76eaf162f2d9b2ee

      SHA1

      46b7b8378b77a8c00019dda4ac5d96b2c1852e25

      SHA256

      e1dad2bbadbdef5173cd776b5e223b078d5ae1ee225ae33193b9c638b9b55021

      SHA512

      392431e1ba1b4d93756481cd6ae953e5f8a64f962e5aa4b00a8cd959cfb0b9e0e920726b2c37eda5f016d0c4cb7b75920a16003fd34629295850fbec4869fc9c

      Download Submit

    • C:\sYMY1N6ah.README.txt
      Filesize

      1KB

      MD5

      deb2e0756d331362d57ad9fe408c4ff3

      SHA1

      870865aad7c7cccafbca0c1f50f7eecaedbd4bf1

      SHA256

      1ddacee1d25936970279557169037a335b362f86c3797ded625d68077bd0145c

      SHA512

      e218624d2704517a358df0dfb794116bbeed3ad81daae8c07d5d969e61e7936ed043911008f4816d663de373fd23515219c8038dd22e5838af7df1678a0134a6

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\EEEEEEEEEEE
      Filesize

      129B

      MD5

      2a10f59f365024c637609f9393473108

      SHA1

      575eb5090ac97c12eb7a60e842db953088aa32b8

      SHA256

      e5a5bf4cd39992ad48442cd699d20ed1355c4c2a961dfc52c62986c3e7653e0f

      SHA512

      fc80eec67e93ddffe0d39065e977235f37fa1db768ac47645f02a5886764a23b21bb960ce731ddf10032ef5805a26ed19fc72057700a99375d520f5f9fc81746

      Download Submit

    • \ProgramData\D7E8.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2552-1-0x0000000002280000-0x00000000022C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2552-0-0x0000000002280000-0x00000000022C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2968-893-0x0000000000280000-0x00000000002C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2968-894-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2968-892-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2968-895-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2968-925-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2968-924-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download