Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
resource
win10v191014 -
submitted
08/01/2020, 23:47
Task
task1
Sample
7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll
Resource
win7v191014
0 signatures
Task
task2
Sample
7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll
Resource
win10v191014
0 signatures
General
-
Target
7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b
-
Sample
200108-dvzv841b7a
-
SHA256
7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b
Score
10/10
Malware Config
Signatures
-
Drops startup file 6 IoCs
description ioc Process File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aartzu.dat rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aartzu.dat rundll32.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aartzu.dat rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aartzu.dat rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4880 wrote to memory of 4896 4880 rundll32.exe 72 PID 4896 wrote to memory of 4992 4896 rundll32.exe 74 PID 4896 wrote to memory of 5016 4896 rundll32.exe 87 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4896 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4992 wmic.exe Token: SeSecurityPrivilege 4992 wmic.exe Token: SeTakeOwnershipPrivilege 4992 wmic.exe Token: SeLoadDriverPrivilege 4992 wmic.exe Token: SeSystemProfilePrivilege 4992 wmic.exe Token: SeSystemtimePrivilege 4992 wmic.exe Token: SeProfSingleProcessPrivilege 4992 wmic.exe Token: SeIncBasePriorityPrivilege 4992 wmic.exe Token: SeCreatePagefilePrivilege 4992 wmic.exe Token: SeBackupPrivilege 4992 wmic.exe Token: SeRestorePrivilege 4992 wmic.exe Token: SeShutdownPrivilege 4992 wmic.exe Token: SeDebugPrivilege 4992 wmic.exe Token: SeSystemEnvironmentPrivilege 4992 wmic.exe Token: SeRemoteShutdownPrivilege 4992 wmic.exe Token: SeUndockPrivilege 4992 wmic.exe Token: SeManageVolumePrivilege 4992 wmic.exe Token: 33 4992 wmic.exe Token: 34 4992 wmic.exe Token: 35 4992 wmic.exe Token: 36 4992 wmic.exe Token: SeBackupPrivilege 1512 vssvc.exe Token: SeRestorePrivilege 1512 vssvc.exe Token: SeAuditPrivilege 1512 vssvc.exe Token: SeIncreaseQuotaPrivilege 5016 wmic.exe Token: SeSecurityPrivilege 5016 wmic.exe Token: SeTakeOwnershipPrivilege 5016 wmic.exe Token: SeLoadDriverPrivilege 5016 wmic.exe Token: SeSystemProfilePrivilege 5016 wmic.exe Token: SeSystemtimePrivilege 5016 wmic.exe Token: SeProfSingleProcessPrivilege 5016 wmic.exe Token: SeIncBasePriorityPrivilege 5016 wmic.exe Token: SeCreatePagefilePrivilege 5016 wmic.exe Token: SeBackupPrivilege 5016 wmic.exe Token: SeRestorePrivilege 5016 wmic.exe Token: SeShutdownPrivilege 5016 wmic.exe Token: SeDebugPrivilege 5016 wmic.exe Token: SeSystemEnvironmentPrivilege 5016 wmic.exe Token: SeRemoteShutdownPrivilege 5016 wmic.exe Token: SeUndockPrivilege 5016 wmic.exe Token: SeManageVolumePrivilege 5016 wmic.exe Token: 33 5016 wmic.exe Token: 34 5016 wmic.exe Token: 35 5016 wmic.exe Token: 36 5016 wmic.exe -
Maze
Maze is a file encrypting virus and also a successor to ChaCha.
-
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 4992 wmic.exe 5016 wmic.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#12⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4896 -
C:\Windows\system32\wbem\wmic.exe"C:\td\ujlwh\ccl\..\..\..\Windows\xbvca\..\system32\bnjk\stm\h\..\..\..\wbem\xt\ssq\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:4992
-
-
C:\Windows\system32\wbem\wmic.exe"C:\hy\enehe\fcq\..\..\..\Windows\yallx\kvivk\..\..\system32\n\..\wbem\aes\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:5016
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512