Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 15:35
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20231020-en
General
-
Target
sample.exe
-
Size
138KB
-
MD5
29cd4e58fa0e2eb5fe000153fccbeaa4
-
SHA1
6eb4bde6dd030a02800be2d374087b23aecd2503
-
SHA256
ad328952c84a602fff1affae679f1a5edcd9b481e752c9963fdb23c2ee6a5d68
-
SHA512
1843d3d221f82830a246f4ca6f118ee4e67654bc852674b62dcd3b8381697c0d945e6e01ac43d6b27e2f72059cf05c692148e7b9aa5ba9c5630dc403d35dbb75
-
SSDEEP
3072:/Pgv1uTga8za7/aApO6fCR6kMglPTX8jI8VD/dJJO04aN5uvvmRE7xIxT62Bb09Q:HKNTMPVDdzR1N5sAxJN9dRd
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (6286) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Loads dropped DLL 6 IoCs
pid Process 2144 rundll32.exe 2144 rundll32.exe 1804 rundll32.exe 1804 rundll32.exe 300 rundll32.exe 300 rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: sample.exe File opened (read-only) \??\D: sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar sample.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sr.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE.HXS.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File created C:\Program Files\Windows Journal\ja-JP\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSAIN.DLL sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcor.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEML.ICO sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105414.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01251_.WMF sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_shmem.dll sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png sample.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\Sidebar.exe.mui sample.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png sample.exe File opened for modification C:\Program Files\CompleteShow.asf sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2852 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 864 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe 2188 sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2824 vssvc.exe Token: SeRestorePrivilege 2824 vssvc.exe Token: SeAuditPrivilege 2824 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1976 2188 sample.exe 29 PID 2188 wrote to memory of 1976 2188 sample.exe 29 PID 2188 wrote to memory of 1976 2188 sample.exe 29 PID 2188 wrote to memory of 1976 2188 sample.exe 29 PID 1976 wrote to memory of 2852 1976 cmd.exe 31 PID 1976 wrote to memory of 2852 1976 cmd.exe 31 PID 1976 wrote to memory of 2852 1976 cmd.exe 31 PID 300 wrote to memory of 864 300 rundll32.exe 44 PID 300 wrote to memory of 864 300 rundll32.exe 44 PID 300 wrote to memory of 864 300 rundll32.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2852
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2040
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\UnpublishOut.wmf.EMAIL=[[email protected]]ID=[908D28930971C614].harward1⤵
- Loads dropped DLL
- Modifies registry class
PID:1804
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\UnprotectInitialize.pcx.EMAIL=[[email protected]]ID=[908D28930971C614].harward1⤵
- Loads dropped DLL
- Modifies registry class
PID:2144
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\FILE ENCRYPTED.txt1⤵PID:2372
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SetResolve.ps1xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SetResolve.ps1xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward2⤵
- Opens file in notepad (likely ransom note)
PID:864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332B
MD58d247069f409856bb7c8795d2f57a8db
SHA134b7f0c49e9a24d70c9cbb2f874404fe66ffaf4a
SHA2564eacc71e0663eb5b6d06118effe5f35af4cb33ca10084b61a5d326a8b6ce3fa1
SHA512a596c4a0c6a2024a7fa7757e3977a0c52328bf2442f0aa608642121adea679e6e3183ea7de7da77ba30c7a7c8161afcd13c2a2fe7589699b3992ee4e81ceb883
-
C:\Users\Admin\Desktop\SetResolve.ps1xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward
Filesize619KB
MD5840b6ca78a3c7aabc13703911a3cf674
SHA14e4475836030cbaf53d2a828ea642bc75b859469
SHA25646d857cf7afe4d098e25f59020eb77554120f121b95ec1c2dc4c25c829aab0c2
SHA512dd89abb5736071970c1ec1f9f8bfa932e3815e5f751df2fa2b67e88bfb98ce3ef06f3c781eb0b17a5bb3a91d937d243e48830d30aa13d3d04cb2255904ae7e6a
-
Filesize
332B
MD58d247069f409856bb7c8795d2f57a8db
SHA134b7f0c49e9a24d70c9cbb2f874404fe66ffaf4a
SHA2564eacc71e0663eb5b6d06118effe5f35af4cb33ca10084b61a5d326a8b6ce3fa1
SHA512a596c4a0c6a2024a7fa7757e3977a0c52328bf2442f0aa608642121adea679e6e3183ea7de7da77ba30c7a7c8161afcd13c2a2fe7589699b3992ee4e81ceb883
-
Filesize
8.4MB
MD548019bd50a809545c202053313cd4b57
SHA160c431499a9f225334032a2f13b825f7a9da8680
SHA256f9d97706a48caead3004a695b57c252103a67f0be66ba58807b1ed430bbb74fd
SHA512f0ab826b0ee57de7909041671462b87f52fa2837501d1f4fa85d159aadab77f340b12cf5f97ab8a4c1b1d6428c35561e9118f6bb5b3c86628bd93b3d8b7198aa
-
Filesize
8.4MB
MD548019bd50a809545c202053313cd4b57
SHA160c431499a9f225334032a2f13b825f7a9da8680
SHA256f9d97706a48caead3004a695b57c252103a67f0be66ba58807b1ed430bbb74fd
SHA512f0ab826b0ee57de7909041671462b87f52fa2837501d1f4fa85d159aadab77f340b12cf5f97ab8a4c1b1d6428c35561e9118f6bb5b3c86628bd93b3d8b7198aa
-
Filesize
8.4MB
MD548019bd50a809545c202053313cd4b57
SHA160c431499a9f225334032a2f13b825f7a9da8680
SHA256f9d97706a48caead3004a695b57c252103a67f0be66ba58807b1ed430bbb74fd
SHA512f0ab826b0ee57de7909041671462b87f52fa2837501d1f4fa85d159aadab77f340b12cf5f97ab8a4c1b1d6428c35561e9118f6bb5b3c86628bd93b3d8b7198aa
-
Filesize
6.4MB
MD5a71a930e1e61e73da97423bdb95ce2d8
SHA18779f17ce0f68aef21969e39e1d84019bea04118
SHA25680f65cbcf64bf5de2c957c83af1a41e9fd624bb88c873a4204ccde77ed428be7
SHA5126f36d227d8328b411a8a7eb776eb49de7a4dcb8e18df5caccbf27114b56a79c327b1c9b13bb2d18ff6ca3738bb3a13d819c9b5693385d0a4fe385586f03beac5
-
Filesize
6.4MB
MD5a71a930e1e61e73da97423bdb95ce2d8
SHA18779f17ce0f68aef21969e39e1d84019bea04118
SHA25680f65cbcf64bf5de2c957c83af1a41e9fd624bb88c873a4204ccde77ed428be7
SHA5126f36d227d8328b411a8a7eb776eb49de7a4dcb8e18df5caccbf27114b56a79c327b1c9b13bb2d18ff6ca3738bb3a13d819c9b5693385d0a4fe385586f03beac5
-
Filesize
6.4MB
MD5a71a930e1e61e73da97423bdb95ce2d8
SHA18779f17ce0f68aef21969e39e1d84019bea04118
SHA25680f65cbcf64bf5de2c957c83af1a41e9fd624bb88c873a4204ccde77ed428be7
SHA5126f36d227d8328b411a8a7eb776eb49de7a4dcb8e18df5caccbf27114b56a79c327b1c9b13bb2d18ff6ca3738bb3a13d819c9b5693385d0a4fe385586f03beac5