Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21/01/2021, 10:50

General

  • Target

    f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe

  • Size

    17KB

  • MD5

    c5d712f82d5d37bb284acd4468ab3533

  • SHA1

    3426e8dcb104d9b01874498fb44c6e460228a9a0

  • SHA256

    f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

  • SHA512

    be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649

Score
5/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 3 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\system32\net.exe
        net stop BMR Boot Service /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop BMR Boot Service /y
          4⤵
            PID:1992
        • C:\Windows\system32\net.exe
          net stop NetBackup BMR MTFTP Service /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
            4⤵
              PID:536
          • C:\Windows\system32\sc.exe
            sc config SQLTELEMETRY start= disabled
            3⤵
              PID:1164
            • C:\Windows\system32\sc.exe
              sc config SQLTELEMETRY$ECWDB2 start= disabled
              3⤵
                PID:1096
              • C:\Windows\system32\sc.exe
                sc config SQLWriter start= disabled
                3⤵
                  PID:560
                • C:\Windows\system32\sc.exe
                  sc config SstpSvc start= disabled
                  3⤵
                    PID:1560
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mspub.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1796
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mydesktopqos.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1036
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mydesktopservice.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:432

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1832-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

                Filesize

                9.9MB

              • memory/1832-3-0x0000000001390000-0x0000000001391000-memory.dmp

                Filesize

                4KB