Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21/01/2021, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Resource
win10v20201028
General
-
Target
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
-
Size
17KB
-
MD5
c5d712f82d5d37bb284acd4468ab3533
-
SHA1
3426e8dcb104d9b01874498fb44c6e460228a9a0
-
SHA256
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
-
SHA512
be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Kills process with taskkill 3 IoCs
pid Process 1796 taskkill.exe 1036 taskkill.exe 432 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1316 1832 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe 27 PID 1832 wrote to memory of 1316 1832 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe 27 PID 1832 wrote to memory of 1316 1832 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe 27 PID 1316 wrote to memory of 2004 1316 cmd.exe 29 PID 1316 wrote to memory of 2004 1316 cmd.exe 29 PID 1316 wrote to memory of 2004 1316 cmd.exe 29 PID 2004 wrote to memory of 1992 2004 net.exe 30 PID 2004 wrote to memory of 1992 2004 net.exe 30 PID 2004 wrote to memory of 1992 2004 net.exe 30 PID 1316 wrote to memory of 332 1316 cmd.exe 31 PID 1316 wrote to memory of 332 1316 cmd.exe 31 PID 1316 wrote to memory of 332 1316 cmd.exe 31 PID 332 wrote to memory of 536 332 net.exe 32 PID 332 wrote to memory of 536 332 net.exe 32 PID 332 wrote to memory of 536 332 net.exe 32 PID 1316 wrote to memory of 1164 1316 cmd.exe 33 PID 1316 wrote to memory of 1164 1316 cmd.exe 33 PID 1316 wrote to memory of 1164 1316 cmd.exe 33 PID 1316 wrote to memory of 1096 1316 cmd.exe 34 PID 1316 wrote to memory of 1096 1316 cmd.exe 34 PID 1316 wrote to memory of 1096 1316 cmd.exe 34 PID 1316 wrote to memory of 560 1316 cmd.exe 35 PID 1316 wrote to memory of 560 1316 cmd.exe 35 PID 1316 wrote to memory of 560 1316 cmd.exe 35 PID 1316 wrote to memory of 1560 1316 cmd.exe 36 PID 1316 wrote to memory of 1560 1316 cmd.exe 36 PID 1316 wrote to memory of 1560 1316 cmd.exe 36 PID 1316 wrote to memory of 1796 1316 cmd.exe 37 PID 1316 wrote to memory of 1796 1316 cmd.exe 37 PID 1316 wrote to memory of 1796 1316 cmd.exe 37 PID 1316 wrote to memory of 1036 1316 cmd.exe 42 PID 1316 wrote to memory of 1036 1316 cmd.exe 42 PID 1316 wrote to memory of 1036 1316 cmd.exe 42 PID 1316 wrote to memory of 432 1316 cmd.exe 43 PID 1316 wrote to memory of 432 1316 cmd.exe 43 PID 1316 wrote to memory of 432 1316 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵PID:1992
-
-
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵PID:536
-
-
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start= disabled3⤵PID:1164
-
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵PID:1096
-
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵PID:560
-
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵PID:1560
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-