Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
327s -
max time network
358s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
13/10/2021, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
trabajo escuela.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
trabajo escuela.exe
Resource
win10-en-20210920
General
-
Target
trabajo escuela.exe
-
Size
614KB
-
MD5
535994874b99eea69b30569bc7176440
-
SHA1
e10245fd72b3ff5f219b18fb292fb3b33ae3a3e5
-
SHA256
79c0f9223e6861b8bf5f6f3ef860bc517e8fcb544efee34bb5f2cc9867af75a7
-
SHA512
12bb6e3737f545ecbef371e079d6764d8e35ff8f940258b430f16e07d34e214c030f6ce0518461639178209fe2da62941a1de763fc25490c0e02e8e064da596f
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3612 bcdedit.exe 3608 bcdedit.exe -
pid Process 1784 wbadmin.exe -
Executes dropped EXE 2 IoCs
pid Process 3384 CRYpt0r V3.0.exe 2444 svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LEER IMPORTANTE.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4btecbdty.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1824 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2444 svchost.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 3384 CRYpt0r V3.0.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe 2444 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 3384 CRYpt0r V3.0.exe Token: SeDebugPrivilege 2444 svchost.exe Token: SeBackupPrivilege 1988 vssvc.exe Token: SeRestorePrivilege 1988 vssvc.exe Token: SeAuditPrivilege 1988 vssvc.exe Token: SeIncreaseQuotaPrivilege 3736 WMIC.exe Token: SeSecurityPrivilege 3736 WMIC.exe Token: SeTakeOwnershipPrivilege 3736 WMIC.exe Token: SeLoadDriverPrivilege 3736 WMIC.exe Token: SeSystemProfilePrivilege 3736 WMIC.exe Token: SeSystemtimePrivilege 3736 WMIC.exe Token: SeProfSingleProcessPrivilege 3736 WMIC.exe Token: SeIncBasePriorityPrivilege 3736 WMIC.exe Token: SeCreatePagefilePrivilege 3736 WMIC.exe Token: SeBackupPrivilege 3736 WMIC.exe Token: SeRestorePrivilege 3736 WMIC.exe Token: SeShutdownPrivilege 3736 WMIC.exe Token: SeDebugPrivilege 3736 WMIC.exe Token: SeSystemEnvironmentPrivilege 3736 WMIC.exe Token: SeRemoteShutdownPrivilege 3736 WMIC.exe Token: SeUndockPrivilege 3736 WMIC.exe Token: SeManageVolumePrivilege 3736 WMIC.exe Token: 33 3736 WMIC.exe Token: 34 3736 WMIC.exe Token: 35 3736 WMIC.exe Token: 36 3736 WMIC.exe Token: SeIncreaseQuotaPrivilege 3736 WMIC.exe Token: SeSecurityPrivilege 3736 WMIC.exe Token: SeTakeOwnershipPrivilege 3736 WMIC.exe Token: SeLoadDriverPrivilege 3736 WMIC.exe Token: SeSystemProfilePrivilege 3736 WMIC.exe Token: SeSystemtimePrivilege 3736 WMIC.exe Token: SeProfSingleProcessPrivilege 3736 WMIC.exe Token: SeIncBasePriorityPrivilege 3736 WMIC.exe Token: SeCreatePagefilePrivilege 3736 WMIC.exe Token: SeBackupPrivilege 3736 WMIC.exe Token: SeRestorePrivilege 3736 WMIC.exe Token: SeShutdownPrivilege 3736 WMIC.exe Token: SeDebugPrivilege 3736 WMIC.exe Token: SeSystemEnvironmentPrivilege 3736 WMIC.exe Token: SeRemoteShutdownPrivilege 3736 WMIC.exe Token: SeUndockPrivilege 3736 WMIC.exe Token: SeManageVolumePrivilege 3736 WMIC.exe Token: 33 3736 WMIC.exe Token: 34 3736 WMIC.exe Token: 35 3736 WMIC.exe Token: 36 3736 WMIC.exe Token: SeBackupPrivilege 2880 wbengine.exe Token: SeRestorePrivilege 2880 wbengine.exe Token: SeSecurityPrivilege 2880 wbengine.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2300 OpenWith.exe 3208 OpenWith.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3384 2384 trabajo escuela.exe 69 PID 2384 wrote to memory of 3384 2384 trabajo escuela.exe 69 PID 3384 wrote to memory of 2444 3384 CRYpt0r V3.0.exe 71 PID 3384 wrote to memory of 2444 3384 CRYpt0r V3.0.exe 71 PID 2444 wrote to memory of 2724 2444 svchost.exe 77 PID 2444 wrote to memory of 2724 2444 svchost.exe 77 PID 2724 wrote to memory of 1824 2724 cmd.exe 79 PID 2724 wrote to memory of 1824 2724 cmd.exe 79 PID 2724 wrote to memory of 3736 2724 cmd.exe 82 PID 2724 wrote to memory of 3736 2724 cmd.exe 82 PID 2444 wrote to memory of 2328 2444 svchost.exe 84 PID 2444 wrote to memory of 2328 2444 svchost.exe 84 PID 2328 wrote to memory of 3612 2328 cmd.exe 86 PID 2328 wrote to memory of 3612 2328 cmd.exe 86 PID 2328 wrote to memory of 3608 2328 cmd.exe 87 PID 2328 wrote to memory of 3608 2328 cmd.exe 87 PID 2444 wrote to memory of 3096 2444 svchost.exe 88 PID 2444 wrote to memory of 3096 2444 svchost.exe 88 PID 3096 wrote to memory of 1784 3096 cmd.exe 90 PID 3096 wrote to memory of 1784 3096 cmd.exe 90 PID 2444 wrote to memory of 2276 2444 svchost.exe 94 PID 2444 wrote to memory of 2276 2444 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe"C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe"C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1824
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:3612
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:3608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:1784
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\LEER IMPORTANTE.txt4⤵PID:2276
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2300
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4040
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2384
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3208