Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    162s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12/05/2022, 16:03

General

  • Target

    686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe

  • Size

    322KB

  • MD5

    a3f4d926dd9e36327ff2e467a0a930bb

  • SHA1

    08e865fb1cf421ce39a378221b4b452c868e6f18

  • SHA256

    686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f

  • SHA512

    016a361a6e74a144811c6d0a022a98987a142c88c974ae6c32f1bb510308cf6f549351e0dc08bcafd99d6270c8627898d5b960e9572cf9be6e5e70ad1e2e1532

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
    "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
      "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
        "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n4440
        3⤵
          PID:5116
          • C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
            "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n4440
            4⤵
              PID:4248
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2032
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:3932
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:3940
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
                PID:5100
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
          1⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1340
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3652
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:3828
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:2396

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\610352966

              Filesize

              57KB

              MD5

              79b711d13abb56db6b5797c7906c6bac

              SHA1

              454570cead3330add31d82a9e0e62e4e4b3d9be3

              SHA256

              5cc910a82fd4b87da24b1484d872a49130a8cc6dabfed1cc508308fa57795701

              SHA512

              2ccc6d9e59034566125b7854ae42c89f968e0af14667329fc22117d8f7a6fb6bb8de9977aec76dba69439e88e5d8ec7b1f25f2b5a8aa8e734589a4c4589d3ecc

            • C:\Users\Admin\AppData\Local\Temp\nsi5655.tmp\System.dll

              Filesize

              11KB

              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

            • C:\Users\Admin\AppData\Local\Temp\nsjD206.tmp\System.dll

              Filesize

              11KB

              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

            • memory/4440-132-0x0000000000401000-0x0000000000407A00-memory.dmp

              Filesize

              26KB

            • memory/4440-133-0x0000000000408000-0x0000000000409000-memory.dmp

              Filesize

              4KB