Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16/02/2022, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe
Resource
win10v2004-en-20220113
General
-
Target
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe
-
Size
447KB
-
MD5
9823800f063a1d4ee7a749961db7540f
-
SHA1
9d2917a668b30ba9f6b3e7a3316553791eb1c052
-
SHA256
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174
-
SHA512
c48624e32dba7f08ce0ca8267e541b123c6a9bf848b81d9e62f7fc4bec9b8ed801a6204ffaece4decf0d31bf2595867ff6f8c0b176e366848b61145cc585e41e
Malware Config
Extracted
C:\DECRYPT-FILES.html
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4672 a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe 4672 a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 208 wmic.exe Token: SeSecurityPrivilege 208 wmic.exe Token: SeTakeOwnershipPrivilege 208 wmic.exe Token: SeLoadDriverPrivilege 208 wmic.exe Token: SeSystemProfilePrivilege 208 wmic.exe Token: SeSystemtimePrivilege 208 wmic.exe Token: SeProfSingleProcessPrivilege 208 wmic.exe Token: SeIncBasePriorityPrivilege 208 wmic.exe Token: SeCreatePagefilePrivilege 208 wmic.exe Token: SeBackupPrivilege 208 wmic.exe Token: SeRestorePrivilege 208 wmic.exe Token: SeShutdownPrivilege 208 wmic.exe Token: SeDebugPrivilege 208 wmic.exe Token: SeSystemEnvironmentPrivilege 208 wmic.exe Token: SeRemoteShutdownPrivilege 208 wmic.exe Token: SeUndockPrivilege 208 wmic.exe Token: SeManageVolumePrivilege 208 wmic.exe Token: 33 208 wmic.exe Token: 34 208 wmic.exe Token: 35 208 wmic.exe Token: 36 208 wmic.exe Token: SeIncreaseQuotaPrivilege 208 wmic.exe Token: SeSecurityPrivilege 208 wmic.exe Token: SeTakeOwnershipPrivilege 208 wmic.exe Token: SeLoadDriverPrivilege 208 wmic.exe Token: SeSystemProfilePrivilege 208 wmic.exe Token: SeSystemtimePrivilege 208 wmic.exe Token: SeProfSingleProcessPrivilege 208 wmic.exe Token: SeIncBasePriorityPrivilege 208 wmic.exe Token: SeCreatePagefilePrivilege 208 wmic.exe Token: SeBackupPrivilege 208 wmic.exe Token: SeRestorePrivilege 208 wmic.exe Token: SeShutdownPrivilege 208 wmic.exe Token: SeDebugPrivilege 208 wmic.exe Token: SeSystemEnvironmentPrivilege 208 wmic.exe Token: SeRemoteShutdownPrivilege 208 wmic.exe Token: SeUndockPrivilege 208 wmic.exe Token: SeManageVolumePrivilege 208 wmic.exe Token: 33 208 wmic.exe Token: 34 208 wmic.exe Token: 35 208 wmic.exe Token: 36 208 wmic.exe Token: SeBackupPrivilege 4264 vssvc.exe Token: SeRestorePrivilege 4264 vssvc.exe Token: SeAuditPrivilege 4264 vssvc.exe Token: SeShutdownPrivilege 5084 svchost.exe Token: SeCreatePagefilePrivilege 5084 svchost.exe Token: SeShutdownPrivilege 5084 svchost.exe Token: SeCreatePagefilePrivilege 5084 svchost.exe Token: SeShutdownPrivilege 5084 svchost.exe Token: SeCreatePagefilePrivilege 5084 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4672 wrote to memory of 208 4672 a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe 88 PID 4672 wrote to memory of 208 4672 a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe"C:\Users\Admin\AppData\Local\Temp\a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\wbem\wmic.exe"C:\ghmo\..\Windows\nvtsa\un\jnxkn\..\..\..\system32\l\..\wbem\nb\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5084