Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12/05/2022, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
Resource
win10v2004-20220414-en
General
-
Target
686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
-
Size
322KB
-
MD5
a3f4d926dd9e36327ff2e467a0a930bb
-
SHA1
08e865fb1cf421ce39a378221b4b452c868e6f18
-
SHA256
686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
-
SHA512
016a361a6e74a144811c6d0a022a98987a142c88c974ae6c32f1bb510308cf6f549351e0dc08bcafd99d6270c8627898d5b960e9572cf9be6e5e70ad1e2e1532
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2360 created 4440 2360 svchost.exe 84 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 3940 wbadmin.exe -
Loads dropped DLL 1 IoCs
pid Process 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe\"" 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3932 vssadmin.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTcbPrivilege 2360 svchost.exe Token: SeTcbPrivilege 2360 svchost.exe Token: SeBackupPrivilege 1340 vssvc.exe Token: SeRestorePrivilege 1340 vssvc.exe Token: SeAuditPrivilege 1340 vssvc.exe Token: SeBackupPrivilege 3652 wbengine.exe Token: SeRestorePrivilege 3652 wbengine.exe Token: SeSecurityPrivilege 3652 wbengine.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2668 wrote to memory of 4440 2668 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 84 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 2360 wrote to memory of 5116 2360 svchost.exe 86 PID 4440 wrote to memory of 2032 4440 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 88 PID 4440 wrote to memory of 2032 4440 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe 88 PID 2032 wrote to memory of 3932 2032 cmd.exe 89 PID 2032 wrote to memory of 3932 2032 cmd.exe 89 PID 2032 wrote to memory of 3940 2032 cmd.exe 93 PID 2032 wrote to memory of 3940 2032 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n44403⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n44404⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3932
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3940
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:5100
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3828
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD579b711d13abb56db6b5797c7906c6bac
SHA1454570cead3330add31d82a9e0e62e4e4b3d9be3
SHA2565cc910a82fd4b87da24b1484d872a49130a8cc6dabfed1cc508308fa57795701
SHA5122ccc6d9e59034566125b7854ae42c89f968e0af14667329fc22117d8f7a6fb6bb8de9977aec76dba69439e88e5d8ec7b1f25f2b5a8aa8e734589a4c4589d3ecc
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c