Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    07/03/2021, 22:11

General

  • Target

    860e50.bin.exe

  • Size

    196KB

  • MD5

    484a2bcb1335ac97ee91194f4c0964bc

  • SHA1

    ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

  • SHA256

    40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

  • SHA512

    6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Malware Config

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1176
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1116
      • C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe"
        1⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Users\Admin\AppData\Local\Temp\daLYleD.exe
          "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" 8 LAN
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\*" /grant Everyone:F /T /C /Q
            3⤵
            • Modifies file permissions
            PID:388
          • C:\Windows\SysWOW64\icacls.exe
            icacls "D:\*" /grant Everyone:F /T /C /Q
            3⤵
            • Modifies file permissions
            PID:648
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "WMIC.exe shadowcopy delet"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              WMIC.exe shadowcopy delet
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1916
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1056
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              4⤵
                PID:1596
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:64
              3⤵
                PID:28076
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:64
                  4⤵
                  • Adds Run key to start application
                  PID:28380
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                3⤵
                  PID:37300
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "samss" /y
                    4⤵
                      PID:37340
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "samss" /y
                    3⤵
                      PID:65348
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        4⤵
                          PID:65376
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2036
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                        3⤵
                          PID:1964
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:524
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:732
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\*" /grant Everyone:F /T /C /Q
                          2⤵
                          • Modifies file permissions
                          PID:524
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "D:\*" /grant Everyone:F /T /C /Q
                          2⤵
                          • Modifies file permissions
                          PID:960
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c "WMIC.exe shadowcopy delet"
                          2⤵
                            PID:1244
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              WMIC.exe shadowcopy delet
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1752
                          • C:\Windows\SysWOW64\vssadmin.exe
                            vssadmin.exe Delete Shadows /all /quiet
                            2⤵
                            • Interacts with shadow copies
                            PID:1964
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:64
                            2⤵
                              PID:1052
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:64
                                3⤵
                                • Adds Run key to start application
                                PID:2088
                            • C:\Windows\SysWOW64\net.exe
                              "C:\Windows\System32\net.exe" stop "samss" /y
                              2⤵
                                PID:2028
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "samss" /y
                                  3⤵
                                    PID:2128
                                • C:\Windows\SysWOW64\net.exe
                                  "C:\Windows\System32\net.exe" stop "samss" /y
                                  2⤵
                                    PID:34800
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop "samss" /y
                                      3⤵
                                        PID:34924
                                    • C:\Windows\SysWOW64\net.exe
                                      "C:\Windows\System32\net.exe" stop "samss" /y
                                      2⤵
                                        PID:37440
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop "samss" /y
                                          3⤵
                                            PID:37540
                                        • C:\Windows\SysWOW64\net.exe
                                          "C:\Windows\System32\net.exe" stop "samss" /y
                                          2⤵
                                            PID:54708
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop "samss" /y
                                              3⤵
                                                PID:55312
                                            • C:\Windows\SysWOW64\net.exe
                                              "C:\Windows\System32\net.exe" stop "samss" /y
                                              2⤵
                                                PID:67084
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop "samss" /y
                                                  3⤵
                                                    PID:68596
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1424

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • memory/1096-2-0x0000000075301000-0x0000000075303000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1096-29-0x00000000027C0000-0x00000000027D1000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/1096-14-0x00000000027C0000-0x00000000027D1000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/1096-7-0x00000000027C0000-0x00000000027D1000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/1096-9-0x0000000002BD0000-0x0000000002BE1000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/2008-24-0x0000000001F90000-0x0000000001FA1000-memory.dmp

                                                Filesize

                                                68KB

                                              • memory/2008-25-0x00000000023A0000-0x00000000023B1000-memory.dmp

                                                Filesize

                                                68KB