Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24/02/2022, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Resource
win10v2004-en-20220112
General
-
Target
8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
-
Size
161KB
-
MD5
8e4fa69d87a6d3c6d7e6c699b25cc2ab
-
SHA1
e5981cfe6ded85b01b10f4b2a5fc2f8537a63b31
-
SHA256
6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18
-
SHA512
fd6ad515c7227a8525e3f3c7b390c547e86b43624424acb978e14d0a7dfa6a90f3cf95518a3b97509f36aed1eb3173dae9d31b6f23990abc232c9dcfb1245994
Malware Config
Extracted
C:\Users\Admin\RECOVERY INFORMATION.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1772 bcdedit.exe 1096 bcdedit.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\WaitJoin.crw => C:\Users\Admin\Pictures\WaitJoin.crw.consultransom 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Deletes itself 1 IoCs
pid Process 524 cmd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\X: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\J: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\K: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\L: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\N: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\T: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Y: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\A: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\B: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\P: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\R: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\M: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Q: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\U: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\V: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\F: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\G: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\H: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\I: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\W: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\Z: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\E: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened (read-only) \??\O: 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UCT 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\DVD Maker\ja-JP\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Gaza 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301044.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RECOVERY INFORMATION.txt 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1468 vssadmin.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1380 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe Token: SeDebugPrivilege 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 900 wrote to memory of 1468 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 27 PID 900 wrote to memory of 1468 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 27 PID 900 wrote to memory of 1468 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 27 PID 900 wrote to memory of 1468 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 27 PID 900 wrote to memory of 656 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 29 PID 900 wrote to memory of 656 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 29 PID 900 wrote to memory of 656 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 29 PID 900 wrote to memory of 656 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 29 PID 900 wrote to memory of 760 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 30 PID 900 wrote to memory of 760 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 30 PID 900 wrote to memory of 760 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 30 PID 900 wrote to memory of 760 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 30 PID 760 wrote to memory of 1772 760 cmd.exe 33 PID 760 wrote to memory of 1772 760 cmd.exe 33 PID 760 wrote to memory of 1772 760 cmd.exe 33 PID 656 wrote to memory of 1096 656 cmd.exe 34 PID 656 wrote to memory of 1096 656 cmd.exe 34 PID 656 wrote to memory of 1096 656 cmd.exe 34 PID 900 wrote to memory of 524 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 42 PID 900 wrote to memory of 524 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 42 PID 900 wrote to memory of 524 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 42 PID 900 wrote to memory of 524 900 8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe 42 PID 524 wrote to memory of 1380 524 cmd.exe 44 PID 524 wrote to memory of 1380 524 cmd.exe 44 PID 524 wrote to memory of 1380 524 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1468
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1096
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1772
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe" >> NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1380
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748