Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
30/06/2020, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win7
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win10
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Extracted
C:\Users\Admin\Desktop\PushSend.aifc.txt
wastedlocker
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2028 attrib.exe 1280 attrib.exe 1364 attrib.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 528 NOTEPAD.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Name.exe Name:bin File opened for modification C:\Windows\SysWOW64\Name.exe attrib.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1612 wrote to memory of 364 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 24 PID 1612 wrote to memory of 364 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 24 PID 1612 wrote to memory of 364 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 24 PID 1612 wrote to memory of 364 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 24 PID 364 wrote to memory of 1052 364 Name:bin 25 PID 364 wrote to memory of 1052 364 Name:bin 25 PID 364 wrote to memory of 1052 364 Name:bin 25 PID 364 wrote to memory of 1052 364 Name:bin 25 PID 364 wrote to memory of 1416 364 Name:bin 29 PID 364 wrote to memory of 1416 364 Name:bin 29 PID 364 wrote to memory of 1416 364 Name:bin 29 PID 364 wrote to memory of 1416 364 Name:bin 29 PID 364 wrote to memory of 1948 364 Name:bin 31 PID 364 wrote to memory of 1948 364 Name:bin 31 PID 364 wrote to memory of 1948 364 Name:bin 31 PID 364 wrote to memory of 1948 364 Name:bin 31 PID 1956 wrote to memory of 1828 1956 Name.exe 35 PID 1956 wrote to memory of 1828 1956 Name.exe 35 PID 1956 wrote to memory of 1828 1956 Name.exe 35 PID 1956 wrote to memory of 1828 1956 Name.exe 35 PID 1828 wrote to memory of 1644 1828 cmd.exe 37 PID 1828 wrote to memory of 1644 1828 cmd.exe 37 PID 1828 wrote to memory of 1644 1828 cmd.exe 37 PID 1828 wrote to memory of 1644 1828 cmd.exe 37 PID 364 wrote to memory of 1628 364 Name:bin 38 PID 364 wrote to memory of 1628 364 Name:bin 38 PID 364 wrote to memory of 1628 364 Name:bin 38 PID 364 wrote to memory of 1628 364 Name:bin 38 PID 1612 wrote to memory of 1640 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 40 PID 1612 wrote to memory of 1640 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 40 PID 1612 wrote to memory of 1640 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 40 PID 1612 wrote to memory of 1640 1612 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 40 PID 1628 wrote to memory of 1632 1628 cmd.exe 42 PID 1628 wrote to memory of 1632 1628 cmd.exe 42 PID 1628 wrote to memory of 1632 1628 cmd.exe 42 PID 1628 wrote to memory of 1632 1628 cmd.exe 42 PID 1640 wrote to memory of 1128 1640 cmd.exe 43 PID 1640 wrote to memory of 1128 1640 cmd.exe 43 PID 1640 wrote to memory of 1128 1640 cmd.exe 43 PID 1640 wrote to memory of 1128 1640 cmd.exe 43 PID 1828 wrote to memory of 2028 1828 cmd.exe 44 PID 1828 wrote to memory of 2028 1828 cmd.exe 44 PID 1828 wrote to memory of 2028 1828 cmd.exe 44 PID 1828 wrote to memory of 2028 1828 cmd.exe 44 PID 1640 wrote to memory of 1364 1640 cmd.exe 46 PID 1640 wrote to memory of 1364 1640 cmd.exe 46 PID 1640 wrote to memory of 1364 1640 cmd.exe 46 PID 1640 wrote to memory of 1364 1640 cmd.exe 46 PID 1628 wrote to memory of 1280 1628 cmd.exe 45 PID 1628 wrote to memory of 1280 1628 cmd.exe 45 PID 1628 wrote to memory of 1280 1628 cmd.exe 45 PID 1628 wrote to memory of 1280 1628 cmd.exe 45 -
Deletes itself 1 IoCs
pid Process 1640 cmd.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1052 vssadmin.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 1416 takeown.exe 1948 icacls.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1416 takeown.exe 1948 icacls.exe -
Executes dropped EXE 2 IoCs
pid Process 364 Name:bin 1956 Name.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Name:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:1612 -
C:\Users\Admin\AppData\Roaming\Name:binC:\Users\Admin\AppData\Roaming\Name:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:364 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1052
-
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Name.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1416
-
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Name.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1948
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Name" & del "C:\Users\Admin\AppData\Roaming\Name"3⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵PID:1632
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Name"4⤵
- Views/modifies file attributes
PID:1280
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1640 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1128
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"3⤵
- Views/modifies file attributes
PID:1364
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1508
-
C:\Windows\SysWOW64\Name.exeC:\Windows\SysWOW64\Name.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Name.exe" & del "C:\Windows\SysWOW64\Name.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1644
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Name.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
PID:2028
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PushSend.aifc.txt1⤵
- Opens file in notepad (likely ransom note)
PID:528