Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

HEUR-Troja...eb.exe

windows7-x64

10

HEUR-Troja...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    197s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2023, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe

  • Size

    64KB

  • MD5

    366aad320bb8a36a88491ad1d164cf09

  • SHA1

    32e3c8c00cb87db06f8e65b2fbc7f04e08a14105

  • SHA256

    fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb

  • SHA512

    921b4d02d2944ea159d2d4623c5b3233bbbf574278e6f8f8f4b023c9b853c6d002f642beb78e316d643df3ab9043b0973cacb5a18a1776ba52d18fabaeff16d7

  • SSDEEP

    768:jykKUSkyDjBSNBvSMIhK7VHQLvGdwFtg2dY6edSYQrq3RWD3Ghc5tTZ92th5Tk9x:SJEN8I5zGXgF6eIdq3Yym5l+tnP

Score
10/10
ransomwarespywarestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\US16E-FFKTA-TRTXH-TOOTA.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1328
  • C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe delete shadows /quiet /all
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /quiet /all
      2⤵
      • Interacts with shadow copies
      PID:480
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8c01f6d77fc86bb04c4e236d6501d9a5

    SHA1

    a115e822ef6078ff80e7dc76379ca5d61e0a6685

    SHA256

    d3cd8131251a6f1a528c5240cec7ff5d4b34d897164d565c6e034d36f9208a85

    SHA512

    866b86ff6bd4547768d9c35f4fada0e514e2988c839c66d709d4ab1977784a41ba7614e46784c53a8470372c03fa3fc0b676c99f50a1b1b9044efaa30830ab8a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a6ea705d0e566995bce1b5899cf6b5aa

    SHA1

    0514e2760e8fe5db87968dadf0f9b218f8071bba

    SHA256

    e07ef21947a18cfcc0a86f3e4646f0f5b3b6943f01443c1915e7f07b4ab2af83

    SHA512

    1e72ef2ceab8cead8145255b9576b4944c7a0da42fb6eb8ee4ccee93dcd18c3df34cc25c81bb289bd4526cfb250856a014e5f18fc717470fe201a0fa58bc9652

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    769845ba0d236199925682f961965016

    SHA1

    6eba6596d507cffdd6293788ed2ad72782640c14

    SHA256

    947562c712cd7ebce06921336ee0747fe77f4cb9666861c68bff4a384d7c8c3e

    SHA512

    201ad816b64e5757d562ad4db023097d7a2ad84d1cf047fefa6e202e2a05080fe1c00575983d1b9053b0182ce43d9f2c443d75caf780cf96ce9f09af0f3a30c0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    49dbcfe92e8487719c3306e3ac73c25e

    SHA1

    35c1313a5378b1b686831f4f502f1f424e626914

    SHA256

    3dbba8076427d25e81e9e588acfa320cbadb96011dcbf07ad137ac2489947fa4

    SHA512

    c392a88cc2e9539bdbe50581ce9394d0322fa91250cf463b35e54246cdef52a8f766cf3408b0eed8e5e335e3e0ed96aa471667f05d117b62c2b8c2d440ddd6d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEEE4.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEFE3.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF043.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\153O2DHH.txt
    Filesize

    606B

    MD5

    b9d0d86ef65272cba055e9f3b242902c

    SHA1

    d5f0eaf0cb5405dff2159a9c1de90cbeabb07812

    SHA256

    21e74a83734c6a6423b9d7b7aafc4ead56c24cf5bd7646b41c7df2d814d17f9a

    SHA512

    72dd6530aff008d6b3df1b523a3a62a3a858ea1cd56f649dfdb405531d605595da399d149a29765a72906fa122c419e1c8f600ee4c4a56f664ddd45ab0f5be00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\US16E-FFKTA-TRTXH-TOOTA.html
    Filesize

    16KB

    MD5

    abbb59133a1340f3addff18ff99b4813

    SHA1

    39eacff82abce9440c1364ea353f1e864b94f585

    SHA256

    c595cee8ee3493a093711d347374a9692e54bbec3b83511537e1d8927eba472b

    SHA512

    fa9e58947e5a248c1c8f190682676ba7579e5a9c5bc9ab04d39a0024b16b56c5662bb277b05050cc3de0ea132754c52dc241dfce8119db06ccec323b525b8563

    Download Submit

  • C:\Users\Admin\Desktop\US16E-FFKTA-TRTXH-TOOTA.html
    Filesize

    16KB

    MD5

    abbb59133a1340f3addff18ff99b4813

    SHA1

    39eacff82abce9440c1364ea353f1e864b94f585

    SHA256

    c595cee8ee3493a093711d347374a9692e54bbec3b83511537e1d8927eba472b

    SHA512

    fa9e58947e5a248c1c8f190682676ba7579e5a9c5bc9ab04d39a0024b16b56c5662bb277b05050cc3de0ea132754c52dc241dfce8119db06ccec323b525b8563

    Download Submit

  • memory/108-96-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/108-54-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/108-58-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/108-57-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/108-55-0x00000000021B0000-0x00000000021B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/108-56-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

    Download