Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190821-b2h8n5wv9n
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 7 IoCs
description pid Process PID 3904 wrote to memory of 4016 4016 Process not Found PID 3904 wrote to memory of 4004 4004 Process not Found PID 3904 wrote to memory of 3896 3896 Process not Found PID 3904 wrote to memory of 4084 4084 Process not Found PID 3904 wrote to memory of 3400 3400 Process not Found PID 3904 wrote to memory of 2024 2024 Process not Found PID 3904 wrote to memory of 3380 3380 Process not Found -
Modifies file permissions 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 4084 wrote to memory of 4036 4036 Process not Found -
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1710.tmp -
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
description \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious registry modification 1 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c006800690062007300790073002e0057004e004300520059005400000000000000 -
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3380 wrote to memory of 3228 3228 Process not Found -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2024 wrote to memory of 2904 2904 Process not Found -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3228 wrote to memory of 3492 3492 Process not Found -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid Process PID 3492 wrote to memory of 2432 2432 Process not Found PID 3492 wrote to memory of 3984 3984 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer (CreateKeyEx) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer (CreateKeyEx) -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 21 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 Token: 36 -
wannacry family