Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2023, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20230220-en
General
-
Target
Automatic_converter_rff_to_mp4.exe
-
Size
322KB
-
MD5
1b4f89bdb12a349de92ca7f1261e67a0
-
SHA1
f368916850332757d7ed2f0ee335c16b9c9fc95b
-
SHA256
d4c83205cf6f3098ab6a757312525f4d14a57a819306eeea5c0d022b00b38cf3
-
SHA512
f2f7985fbf462bc35e099b58308ddef91320d3d81040f77e7c1c0a3cfc3a4da50c849efd0f063c839848a80927398cc24bc8368d5b0b92014abe2ea7bdc2ddeb
-
SSDEEP
6144:iibVlHNEHBpDDf2vfQ21NV0zUiCqWjH6YPON9q:igtCpPfGfZSWPf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" WormLocker2.0.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
pid Process 2628 takeown.exe 1484 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Automatic_converter_rff_to_mp4.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation WormLocker2.0.exe -
Executes dropped EXE 1 IoCs
pid Process 1720 WormLocker2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2628 takeown.exe 1484 icacls.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\LogonUIinf.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\ransom_voice.vbs Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\WormLocker2.0.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUI.exe Automatic_converter_rff_to_mp4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings WormLocker2.0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1720 WormLocker2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeDebugPrivilege 1720 WormLocker2.0.exe Token: 33 4452 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4452 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2124 1220 Automatic_converter_rff_to_mp4.exe 84 PID 1220 wrote to memory of 2124 1220 Automatic_converter_rff_to_mp4.exe 84 PID 2124 wrote to memory of 2628 2124 cmd.exe 86 PID 2124 wrote to memory of 2628 2124 cmd.exe 86 PID 2124 wrote to memory of 1484 2124 cmd.exe 87 PID 2124 wrote to memory of 1484 2124 cmd.exe 87 PID 1220 wrote to memory of 1720 1220 Automatic_converter_rff_to_mp4.exe 94 PID 1220 wrote to memory of 1720 1220 Automatic_converter_rff_to_mp4.exe 94 PID 1720 wrote to memory of 384 1720 WormLocker2.0.exe 97 PID 1720 wrote to memory of 384 1720 WormLocker2.0.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484
-
-
-
C:\Windows\System32\WormLocker2.0.exe"C:\Windows\System32\WormLocker2.0.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"3⤵PID:384
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x440 0x2f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6CCA938CF0E94F99BD45D1A826208B9A.dat
Filesize940B
MD52cf7241566e2c9da80ed5ebceae6ed29
SHA1812988494fc394190ac99b18e53145543d6672c4
SHA256b9493cc46823f22b4ea7222040035fdf834d860166532e55a110e3ee51b284ed
SHA512c424a4a44e58a71b7204f75e9c211f57260e6067aa4c537648533329855e1359939243cd4266ad3f78a6dcc1c8cd68bc2aa448d9c5775559f22f2eeabb3c4019
-
Filesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
Filesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
Filesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
Filesize
397B
MD5c1f9613622f740c2f00c2fa8881ba7ba
SHA1bf3271720634bebb3c41ef2b33af525b62f931bc
SHA256d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b
SHA51249e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615