Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23/05/2023, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20230220-en
General
-
Target
Automatic_converter_rff_to_mp4.exe
-
Size
322KB
-
MD5
1b4f89bdb12a349de92ca7f1261e67a0
-
SHA1
f368916850332757d7ed2f0ee335c16b9c9fc95b
-
SHA256
d4c83205cf6f3098ab6a757312525f4d14a57a819306eeea5c0d022b00b38cf3
-
SHA512
f2f7985fbf462bc35e099b58308ddef91320d3d81040f77e7c1c0a3cfc3a4da50c849efd0f063c839848a80927398cc24bc8368d5b0b92014abe2ea7bdc2ddeb
-
SSDEEP
6144:iibVlHNEHBpDDf2vfQ21NV0zUiCqWjH6YPON9q:igtCpPfGfZSWPf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" WormLocker2.0.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
pid Process 944 takeown.exe 1776 icacls.exe -
Executes dropped EXE 1 IoCs
pid Process 1056 WormLocker2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 944 takeown.exe 1776 icacls.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\ransom_voice.vbs Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\WormLocker2.0.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUI.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUIinf.exe Automatic_converter_rff_to_mp4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1056 WormLocker2.0.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 944 takeown.exe Token: SeDebugPrivilege 1056 WormLocker2.0.exe Token: 33 1060 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1060 AUDIODG.EXE Token: 33 1060 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1060 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1240 wrote to memory of 1044 1240 Automatic_converter_rff_to_mp4.exe 27 PID 1240 wrote to memory of 1044 1240 Automatic_converter_rff_to_mp4.exe 27 PID 1240 wrote to memory of 1044 1240 Automatic_converter_rff_to_mp4.exe 27 PID 1044 wrote to memory of 944 1044 cmd.exe 29 PID 1044 wrote to memory of 944 1044 cmd.exe 29 PID 1044 wrote to memory of 944 1044 cmd.exe 29 PID 1044 wrote to memory of 1776 1044 cmd.exe 30 PID 1044 wrote to memory of 1776 1044 cmd.exe 30 PID 1044 wrote to memory of 1776 1044 cmd.exe 30 PID 1240 wrote to memory of 1056 1240 Automatic_converter_rff_to_mp4.exe 31 PID 1240 wrote to memory of 1056 1240 Automatic_converter_rff_to_mp4.exe 31 PID 1240 wrote to memory of 1056 1240 Automatic_converter_rff_to_mp4.exe 31 PID 1056 wrote to memory of 1524 1056 WormLocker2.0.exe 33 PID 1056 wrote to memory of 1524 1056 WormLocker2.0.exe 33 PID 1056 wrote to memory of 1524 1056 WormLocker2.0.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776
-
-
-
C:\Windows\System32\WormLocker2.0.exe"C:\Windows\System32\WormLocker2.0.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1012
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
Filesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
Filesize
397B
MD5c1f9613622f740c2f00c2fa8881ba7ba
SHA1bf3271720634bebb3c41ef2b33af525b62f931bc
SHA256d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b
SHA51249e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615