Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2023, 12:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cryptor.exe
Resource
win10v2004-20230915-en
8 signatures
150 seconds
General
-
Target
cryptor.exe
-
Size
1.2MB
-
MD5
3d3308249c9678add3a18400dee765e1
-
SHA1
bf8a4f936ea526547304941b071a893c26c4fc8b
-
SHA256
5f3ae6e0d2e118ed31e7c38b652f4e59f5d5745398596c8b31248eda059778af
-
SHA512
68e7f980458735ee8f4a878a7b0ad6c82785c75d8aa7115135b7aee422a5d156c6dd64fd888d0a7ad977dd7a676fc19d1d3c6bc60cdad7413f413ed82bed9968
-
SSDEEP
12288:jYQ8qfjpyIvdBsR7LZ61TRRhKziQVUylH0:8Q8qfj9VwcpRLSiQJlH
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3924 cryptor.exe 3924 cryptor.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeBackupPrivilege 2132 vssvc.exe Token: SeRestorePrivilege 2132 vssvc.exe Token: SeAuditPrivilege 2132 vssvc.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeDebugPrivilege 2276 taskmgr.exe Token: SeSystemProfilePrivilege 2276 taskmgr.exe Token: SeCreateGlobalPrivilege 2276 taskmgr.exe Token: 33 2276 taskmgr.exe Token: SeIncBasePriorityPrivilege 2276 taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe 2276 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3924 wrote to memory of 2992 3924 cryptor.exe 88 PID 3924 wrote to memory of 2992 3924 cryptor.exe 88 PID 2992 wrote to memory of 2468 2992 cmd.exe 90 PID 2992 wrote to memory of 2468 2992 cmd.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptor.exe"C:\Users\Admin\AppData\Local\Temp\cryptor.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D76827F-A31B-49C3-866F-DDAFB07D5B48}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3D76827F-A31B-49C3-866F-DDAFB07D5B48}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1040