Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

HEUR-Troja...eb.exe

windows7-x64

10

HEUR-Troja...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    196s
  • max time network
    247s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2023, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe

  • Size

    64KB

  • MD5

    366aad320bb8a36a88491ad1d164cf09

  • SHA1

    32e3c8c00cb87db06f8e65b2fbc7f04e08a14105

  • SHA256

    fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb

  • SHA512

    921b4d02d2944ea159d2d4623c5b3233bbbf574278e6f8f8f4b023c9b853c6d002f642beb78e316d643df3ab9043b0973cacb5a18a1776ba52d18fabaeff16d7

  • SSDEEP

    768:jykKUSkyDjBSNBvSMIhK7VHQLvGdwFtg2dY6edSYQrq3RWD3Ghc5tTZ92th5Tk9x:SJEN8I5zGXgF6eIdq3Yym5l+tnP

Score
10/10
ransomwarespywarestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\US1C2-8FKTZ-TXTXH-TGTOY.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb21846f8,0x7ffbb2184708,0x7ffbb2184718
        3⤵
          PID:1736
    • C:\Windows\system32\cmd.exe
      cmd.exe /c vssadmin.exe delete shadows /quiet /all
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /quiet /all
        2⤵
        • Interacts with shadow copies
        PID:1608
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1812

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
      Filesize

      152B

      MD5

      5a10efe23009825eadc90c37a38d9401

      SHA1

      fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

      SHA256

      05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

      SHA512

      89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\US1C2-8FKTZ-TXTXH-TGTOY.html
      Filesize

      16KB

      MD5

      b851a1ee9ae4d450a99d50af6e1b5a09

      SHA1

      4838ac1606ccc3d7189df048f81af5c575b227d5

      SHA256

      03c477c8988b559ccbc0ea8c2c5d10026b37585110a67cf63e3ad43d27363859

      SHA512

      e1e61b6981fa0335e33f8f814a2047967d40ddb6603df4e30231bcf2ace0714374799ba72d5305170688f6726947febd3b75d8d7c7f658d4e12aa15dbf7033c3

      Download Submit

    • memory/3528-133-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3528-134-0x0000000002210000-0x0000000002211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3528-135-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3528-136-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3528-138-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3528-143-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3528-200-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download