Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
51s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04/07/2020, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
gstabl72.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
gstabl72.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
gstabl72.exe
-
Size
848KB
-
MD5
3208a14c9bad334e331febe00f1e9734
-
SHA1
809fbd450e1a484a5af4ec05c345b2a7072723e7
-
SHA256
85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
-
SHA512
b1460826b0a15e9cf752f001426ae6c9fffe96d01d7ab2802d0843b2c51f3dc1590c9c1f80e26ed9a751e7ac59f584fde4cb937841d5b4ea51a1883302da4029
Malware Config
Signatures
-
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Installers:bin gstabl72.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2680 takeown.exe 3720 icacls.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 2680 takeown.exe 3720 icacls.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 992 wrote to memory of 1796 992 gstabl72.exe 67 PID 992 wrote to memory of 1796 992 gstabl72.exe 67 PID 992 wrote to memory of 1796 992 gstabl72.exe 67 PID 1796 wrote to memory of 1808 1796 Installers:bin 70 PID 1796 wrote to memory of 1808 1796 Installers:bin 70 PID 1796 wrote to memory of 2680 1796 Installers:bin 74 PID 1796 wrote to memory of 2680 1796 Installers:bin 74 PID 1796 wrote to memory of 2680 1796 Installers:bin 74 PID 1796 wrote to memory of 3720 1796 Installers:bin 76 PID 1796 wrote to memory of 3720 1796 Installers:bin 76 PID 1796 wrote to memory of 3720 1796 Installers:bin 76 PID 4064 wrote to memory of 1732 4064 Installers.exe 80 PID 4064 wrote to memory of 1732 4064 Installers.exe 80 PID 4064 wrote to memory of 1732 4064 Installers.exe 80 PID 1732 wrote to memory of 2988 1732 cmd.exe 82 PID 1732 wrote to memory of 2988 1732 cmd.exe 82 PID 1732 wrote to memory of 2988 1732 cmd.exe 82 PID 1796 wrote to memory of 3520 1796 Installers:bin 83 PID 1796 wrote to memory of 3520 1796 Installers:bin 83 PID 1796 wrote to memory of 3520 1796 Installers:bin 83 PID 992 wrote to memory of 3740 992 gstabl72.exe 85 PID 992 wrote to memory of 3740 992 gstabl72.exe 85 PID 992 wrote to memory of 3740 992 gstabl72.exe 85 PID 3520 wrote to memory of 3616 3520 cmd.exe 87 PID 3520 wrote to memory of 3616 3520 cmd.exe 87 PID 3520 wrote to memory of 3616 3520 cmd.exe 87 PID 3740 wrote to memory of 1916 3740 cmd.exe 88 PID 3740 wrote to memory of 1916 3740 cmd.exe 88 PID 3740 wrote to memory of 1916 3740 cmd.exe 88 PID 1732 wrote to memory of 796 1732 cmd.exe 90 PID 1732 wrote to memory of 796 1732 cmd.exe 90 PID 1732 wrote to memory of 796 1732 cmd.exe 90 PID 3520 wrote to memory of 2040 3520 cmd.exe 91 PID 3520 wrote to memory of 2040 3520 cmd.exe 91 PID 3520 wrote to memory of 2040 3520 cmd.exe 91 PID 3740 wrote to memory of 4004 3740 cmd.exe 92 PID 3740 wrote to memory of 4004 3740 cmd.exe 92 PID 3740 wrote to memory of 4004 3740 cmd.exe 92 -
Executes dropped EXE 2 IoCs
pid Process 1796 Installers:bin 4064 Installers.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1808 vssadmin.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Installers.exe Installers:bin File opened for modification C:\Windows\SysWOW64\Installers.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4004 attrib.exe 796 attrib.exe 2040 attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1632 vssvc.exe Token: SeRestorePrivilege 1632 vssvc.exe Token: SeAuditPrivilege 1632 vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Roaming\Installers:binC:\Users\Admin\AppData\Roaming\Installers:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1808
-
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Installers.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:2680
-
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Installers.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Installers" & del "C:\Users\Admin\AppData\Roaming\Installers"3⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵PID:3616
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Installers"4⤵
- Views/modifies file attributes
PID:2040
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe" & del "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1916
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\gstabl72.exe"3⤵
- Views/modifies file attributes
PID:4004
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Windows\SysWOW64\Installers.exeC:\Windows\SysWOW64\Installers.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Installers.exe" & del "C:\Windows\SysWOW64\Installers.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:2988
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Installers.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:796
-
-