Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24/02/2022, 06:26

General

  • Target

    8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

  • Size

    161KB

  • MD5

    8e4fa69d87a6d3c6d7e6c699b25cc2ab

  • SHA1

    e5981cfe6ded85b01b10f4b2a5fc2f8537a63b31

  • SHA256

    6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18

  • SHA512

    fd6ad515c7227a8525e3f3c7b390c547e86b43624424acb978e14d0a7dfa6a90f3cf95518a3b97509f36aed1eb3173dae9d31b6f23990abc232c9dcfb1245994

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: B7B93E5E0B7F �

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
    "C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1468
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1096
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1772
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1380
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/900-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

    Filesize

    8KB