Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
21/08/2023, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe
Resource
win10v2004-20230703-en
General
-
Target
b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe
-
Size
6.8MB
-
MD5
a338b3338c6ca2888ef6843afb89515a
-
SHA1
d45c6ad339fe1a708fbd811ca52d31ecf2c86046
-
SHA256
b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa
-
SHA512
e4b7535eda93efdc587477416d4e21722970e70eff491bb4e1c5eea4f60cadecf944f7c05a4789f833b72fbca35c419a3c26dc879f51710bda0c203a4ad7ee9e
-
SSDEEP
196608:yc2vkt69o1hyHzmsqS9aDALI1Yu3fkPynV7w/VTDdq:X3h1oCCIsLnL+NwFDE
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\READ_ME_GET_HELP.txt b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe File created C:\Program Files (x86)\READ_ME_GET_HELP.txt b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\READ_ME_GET_HELP.txt b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2956 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2896 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 28 PID 2784 wrote to memory of 2896 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 28 PID 2784 wrote to memory of 2896 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 28 PID 2784 wrote to memory of 2896 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 28 PID 2896 wrote to memory of 2956 2896 cmd.exe 30 PID 2896 wrote to memory of 2956 2896 cmd.exe 30 PID 2896 wrote to memory of 2956 2896 cmd.exe 30 PID 2896 wrote to memory of 2956 2896 cmd.exe 30 PID 2784 wrote to memory of 2872 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 32 PID 2784 wrote to memory of 2872 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 32 PID 2784 wrote to memory of 2872 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 32 PID 2784 wrote to memory of 2872 2784 b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe"C:\Users\Admin\AppData\Local\Temp\b80d72430f7226ad5145c1283ab40061afc470f1767a90699bb0372e804747fa.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2872
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56f7d6d96344dbb29328761de2b5e5aad
SHA1cda3b34095bf3b701b370a25c9c0e6c6adab3311
SHA256700e91b80b845a205abd578f4798024ca01bc41c40b3f5d9ed94f7375232ed22
SHA512d5b5724da1efb661d010b5d625da5db6304175c177558d487f36cfc9555ee36cd462fe83bdbee16d4b9532bcf6169ee38990488a7fe2b79bbbf9e33d8e36e0e1