Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
Resource
win10v2004-20230621-en
General
-
Target
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
-
Size
1.2MB
-
MD5
0c8e88877383ccd23a755f429006b437
-
SHA1
69b3d913a3967153d1e91ba1a31ebed839b297ed
-
SHA256
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
-
SHA512
ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041
-
SSDEEP
24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp
Malware Config
Signatures
-
Renames multiple (1560) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MountCompare.tiff => C:\Users\Admin\Pictures\MountCompare.tiff.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\MountCompare.tiff.rhysida => C:\Users\Admin\Pictures\MountCompare.tiff a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\DisconnectUnprotect.raw => C:\Users\Admin\Pictures\DisconnectUnprotect.raw.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\GrantCheckpoint.png => C:\Users\Admin\Pictures\GrantCheckpoint.png.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\EditUnregister.crw => C:\Users\Admin\Pictures\EditUnregister.crw.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\PublishGrant.png => C:\Users\Admin\Pictures\PublishGrant.png.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\SetRestore.raw => C:\Users\Admin\Pictures\SetRestore.raw.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe File renamed C:\Users\Admin\Pictures\PingSelect.tif => C:\Users\Admin\Pictures\PingSelect.tif.rhysida a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E09703CA-CD13-42C4-8DA0-AFAE1C7E40D3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1FF9495B-6789-4F5D-BAFB-DCABDD3D5FC2}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{18D31A2E-F1FC-488A-A01D-3C9CD3B89523}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{42D8E0CC-1648-4B69-92DD-C2710DC9B4E8}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4C3A1DC5-FB7E-4292-BFDC-E0D9A7EA63D0}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{82FFD391-C08E-4F68-95FA-0680502266C3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{192F7388-283D-4EF3-9768-43FDB085FF10}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{88679D6B-C4F6-48D4-9D24-C50A3B7586DB}.catalogItem svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3904 powershell.exe 3904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3904 powershell.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 1452 wrote to memory of 4668 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 92 PID 1452 wrote to memory of 4668 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 92 PID 4668 wrote to memory of 1308 4668 cmd.exe 93 PID 4668 wrote to memory of 1308 4668 cmd.exe 93 PID 1308 wrote to memory of 4928 1308 cmd.exe 94 PID 1308 wrote to memory of 4928 1308 cmd.exe 94 PID 1452 wrote to memory of 4820 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 95 PID 1452 wrote to memory of 4820 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 95 PID 4820 wrote to memory of 1768 4820 cmd.exe 96 PID 4820 wrote to memory of 1768 4820 cmd.exe 96 PID 1768 wrote to memory of 2624 1768 cmd.exe 97 PID 1768 wrote to memory of 2624 1768 cmd.exe 97 PID 1452 wrote to memory of 3996 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 98 PID 1452 wrote to memory of 3996 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 98 PID 3996 wrote to memory of 4972 3996 cmd.exe 99 PID 3996 wrote to memory of 4972 3996 cmd.exe 99 PID 4972 wrote to memory of 5088 4972 cmd.exe 100 PID 4972 wrote to memory of 5088 4972 cmd.exe 100 PID 1452 wrote to memory of 2628 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 101 PID 1452 wrote to memory of 2628 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 101 PID 2628 wrote to memory of 3608 2628 cmd.exe 102 PID 2628 wrote to memory of 3608 2628 cmd.exe 102 PID 3608 wrote to memory of 2152 3608 cmd.exe 103 PID 3608 wrote to memory of 2152 3608 cmd.exe 103 PID 1452 wrote to memory of 2228 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 104 PID 1452 wrote to memory of 2228 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 104 PID 2228 wrote to memory of 3764 2228 cmd.exe 105 PID 2228 wrote to memory of 3764 2228 cmd.exe 105 PID 3764 wrote to memory of 1844 3764 cmd.exe 106 PID 3764 wrote to memory of 1844 3764 cmd.exe 106 PID 1452 wrote to memory of 3000 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 107 PID 1452 wrote to memory of 3000 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 107 PID 3000 wrote to memory of 2864 3000 cmd.exe 108 PID 3000 wrote to memory of 2864 3000 cmd.exe 108 PID 2864 wrote to memory of 1200 2864 cmd.exe 109 PID 2864 wrote to memory of 1200 2864 cmd.exe 109 PID 1452 wrote to memory of 320 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 110 PID 1452 wrote to memory of 320 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 110 PID 320 wrote to memory of 1816 320 cmd.exe 111 PID 320 wrote to memory of 1816 320 cmd.exe 111 PID 1816 wrote to memory of 4664 1816 cmd.exe 112 PID 1816 wrote to memory of 4664 1816 cmd.exe 112 PID 1452 wrote to memory of 4672 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 113 PID 1452 wrote to memory of 4672 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 113 PID 4672 wrote to memory of 4640 4672 cmd.exe 114 PID 4672 wrote to memory of 4640 4672 cmd.exe 114 PID 4640 wrote to memory of 3912 4640 cmd.exe 115 PID 4640 wrote to memory of 3912 4640 cmd.exe 115 PID 1452 wrote to memory of 1952 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 116 PID 1452 wrote to memory of 1952 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 116 PID 1952 wrote to memory of 664 1952 cmd.exe 117 PID 1952 wrote to memory of 664 1952 cmd.exe 117 PID 1452 wrote to memory of 4064 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 118 PID 1452 wrote to memory of 4064 1452 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 118 PID 4064 wrote to memory of 3616 4064 cmd.exe 119 PID 4064 wrote to memory of 3616 4064 cmd.exe 119 PID 3616 wrote to memory of 3904 3616 cmd.exe 120 PID 3616 wrote to memory of 3904 3616 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f2⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f3⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f4⤵PID:4928
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f2⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f3⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f4⤵PID:2624
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵PID:5088
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵PID:2152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
- Sets desktop wallpaper using registry
PID:1844
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵PID:1200
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵PID:4664
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵PID:3912
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,UpdatePerUserSystemParameters3⤵PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\cmd.execmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;3⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82