Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27/04/2022, 09:30
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
2.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
2.exe
Resource
win10v2004-20220414-en
General
-
Target
1.exe
-
Size
1.0MB
-
MD5
342a196528cc22163fa6a9bd7640c221
-
SHA1
d8e9e8908a9f3be4bbd8fe169d420dcb523e6b4c
-
SHA256
94b9665b40a2b36d6ff46ffd083bbf1c6d6c08de9fe24eb6dfb0199bd17f84b4
-
SHA512
f3b2363664153b3ddcb060edfa44263de7f68f0c4febccc13b8e690aa751ed8edf096a40a08ee33ffe04748b360e4240805c1623ef8987861a33fea042e006e4
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3374973704\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 1700 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 1.exe 1176 1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 956 1740 1.exe 28 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\readme-warning.txt 1.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF 1.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui 1.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar 1.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp.[F3356450].[[email protected]].noctua 1.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer 1.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf 1.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[F3356450].[[email protected]].noctua 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.[F3356450].[[email protected]].noctua 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar 1.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui 1.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar 1.exe File opened for modification C:\Program Files\Java\jre7\lib\psfont.properties.ja 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat 1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\readme-warning.txt 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg 1.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\sbdrop.dll.mui 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF 1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\readme-warning.txt 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png 1.exe File opened for modification C:\Program Files\SearchMove.potm 1.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade 1.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\El_Salvador 1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\readme-warning.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Berlin 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML 1.exe File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2036 1740 WerFault.exe 27 1372 1176 WerFault.exe 30 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 528 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 956 1.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1740 1.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 1208 vssvc.exe Token: SeRestorePrivilege 1208 vssvc.exe Token: SeAuditPrivilege 1208 vssvc.exe Token: SeBackupPrivilege 1364 wbengine.exe Token: SeRestorePrivilege 1364 wbengine.exe Token: SeSecurityPrivilege 1364 wbengine.exe Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 956 1740 1.exe 28 PID 1740 wrote to memory of 2036 1740 1.exe 29 PID 1740 wrote to memory of 2036 1740 1.exe 29 PID 1740 wrote to memory of 2036 1740 1.exe 29 PID 1740 wrote to memory of 2036 1740 1.exe 29 PID 956 wrote to memory of 1980 956 1.exe 31 PID 956 wrote to memory of 1980 956 1.exe 31 PID 956 wrote to memory of 1980 956 1.exe 31 PID 956 wrote to memory of 1980 956 1.exe 31 PID 1980 wrote to memory of 528 1980 cmd.exe 33 PID 1980 wrote to memory of 528 1980 cmd.exe 33 PID 1980 wrote to memory of 528 1980 cmd.exe 33 PID 1980 wrote to memory of 1700 1980 cmd.exe 36 PID 1980 wrote to memory of 1700 1980 cmd.exe 36 PID 1980 wrote to memory of 1700 1980 cmd.exe 36 PID 1980 wrote to memory of 240 1980 cmd.exe 40 PID 1980 wrote to memory of 240 1980 cmd.exe 40 PID 1980 wrote to memory of 240 1980 cmd.exe 40 PID 1176 wrote to memory of 1372 1176 1.exe 42 PID 1176 wrote to memory of 1372 1176 1.exe 42 PID 1176 wrote to memory of 1372 1176 1.exe 42 PID 1176 wrote to memory of 1372 1176 1.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\1.exeﮅ2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe" n9563⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 3924⤵
- Program crash
PID:1372
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:528
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1700
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 4802⤵
- Program crash
PID:2036
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:980
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256.7MB
MD59ccad7b4b1f71bb08b4286bbdb5874d8
SHA1c3fcb6aa1729ccd76fd1e150b0a34d81c2f1d017
SHA2565c38c89ecae449d4689804ac0ebc06edc57bbacf362e7ba8fbfc2cda557cdbab
SHA51250a6e9fd8d6cb137a939f708130e432aa4cbcf0217f7ada8c3a7e93d8cf8c150efaeae1d30419ef20ed6ca31df99b39c2e453b9e5de48fcf05461779be8f03a6
-
Filesize
305.0MB
MD5026ee8de15880586852638e4a81fb251
SHA1527ee12c2cb7dbf7f3226c6d5d42b692613a0f96
SHA256044a04c0e0198ddeb9a5a3e4a5d324ba8ec6aee772c86edaa4f5e0bdcd211528
SHA51296b41ae9244836e4e227e7e080a8f2bd1e1bb0c2a5a41f7d10b38bca2bd89fceee493c2268c0783c1bd4b9308b770e1e5878827b1230d562e85852851ea9bc97
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88