Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/07/2024, 22:59

240703-2yn7wszhlp 10

03/07/2024, 16:13

240703-tn93lsyglf 10

03/07/2024, 16:11

240703-tm84xsyfma 10

10/05/2024, 16:25

240510-tw1h5shh47 10

24/08/2023, 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    1120s
  • max time network
    1131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22/11/2020, 06:42

Errors

Reason
Machine shutdown

General

  • Target

  • Size

    878KB

  • MD5

    e4d4a59494265949993e26dee7b077d1

  • SHA1

    83e3d0c7e544117d6054e7d55932a7d2dbaf1163

  • SHA256

    5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

  • SHA512

    efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Deletes NTFS Change Journal 2 TTPs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 1 IoCs
  • Modifies service 2 TTPs 161 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 16 IoCs
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 27 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 153 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:768
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Modifies service
      PID:2664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1F79EE20C3059F2441123B4678BA2642 E Global\MSI0000
      2⤵
      • Modifies WinLogon for persistence
      • Modifies data under HKEY_USERS
      PID:4392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:4320
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:1136
  • C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Modifies extensions of user files
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
            4⤵
            • Creates scheduled task(s)
            PID:5028
        • C:\Windows\CC5F.tmp
          "C:\Windows\CC5F.tmp" \\.\pipe\{717F4F2C-F49B-4686-BB05-5684ABD90307}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Windows\SysWOW64\wevtutil.exe
            wevtutil cl Setup
            4⤵
              PID:4628
            • C:\Windows\SysWOW64\wevtutil.exe
              wevtutil cl System
              4⤵
                PID:4456
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil cl Security
                4⤵
                  PID:2608
                • C:\Windows\SysWOW64\wevtutil.exe
                  wevtutil cl Application
                  4⤵
                    PID:2916
                  • C:\Windows\SysWOW64\fsutil.exe
                    fsutil usn deletejournal /D C:
                    4⤵
                      PID:228
                  • C:\Windows\SysWOW64\cmd.exe
                    /c schtasks /Delete /F /TN drogon
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:224
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Delete /F /TN drogon
                      4⤵
                        PID:3968
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0 /state0:0xa3ad8055 /state1:0x41c64e6d
                  1⤵
                  • Modifies WinLogon to allow AutoLogon
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:4580

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2632-19-0x00000000032A0000-0x0000000003308000-memory.dmp

                  Filesize

                  416KB

                • memory/4760-3-0x0000000002590000-0x0000000002591000-memory.dmp

                  Filesize

                  4KB