Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
224s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 16:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20231020-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
sample.exe
-
Size
129KB
-
MD5
c50a3e0b68062be34e05f6761f0f75ff
-
SHA1
0cb1fea6f126d57977ca84ad68a3f758ca745c7a
-
SHA256
9fb8f797f53dceb4731688f8688eccbe7d137665d7f2542070e2b2cf7371a6ce
-
SHA512
126b08fd7ee107929869ef39ad226a9089be6e46e5fb077929e692195505c25b159663415c0eb7754ab2b9a1154943e6e48c37a5b157be3f386ef0984bb781ba
-
SSDEEP
3072:iLbLpVIYbQf91G3im/2Ef07Jysgxv8Ofr4pt6Y46ab6koEMQBfjS3f2vYeBgrOi4:iTpVLvxyq6ko0BSveYprzOu3Scur06
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (497) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: sample.exe File opened (read-only) \??\D: sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GFX.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files\Windows Journal\Templates\Graph.jtp sample.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSClient.Msg.dll sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE sample.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Perspective.thmx.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll sample.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt sample.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui sample.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe sample.exe File opened for modification C:\Program Files\Windows Journal\jnwmon.dll sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt sample.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html sample.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui sample.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui sample.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\sbdrop.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iedvtool.dll sample.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui sample.exe File created C:\Program Files\Microsoft Games\Hearts\FILE ENCRYPTED.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files\Java\jre7\README.txt sample.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Module.thmx.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL.EMAIL=[[email protected] ]ID=[6D150A0B7E53F99E].havoc sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG sample.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig sample.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\Common.fxh sample.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui sample.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui sample.exe File created C:\Program Files (x86)\Common Files\Services\FILE ENCRYPTED.txt sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2748 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe 2388 sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2588 vssvc.exe Token: SeRestorePrivilege 2588 vssvc.exe Token: SeAuditPrivilege 2588 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2872 2388 sample.exe 30 PID 2388 wrote to memory of 2872 2388 sample.exe 30 PID 2388 wrote to memory of 2872 2388 sample.exe 30 PID 2388 wrote to memory of 2872 2388 sample.exe 30 PID 2872 wrote to memory of 2748 2872 cmd.exe 32 PID 2872 wrote to memory of 2748 2872 cmd.exe 32 PID 2872 wrote to memory of 2748 2872 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2748
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324B
MD522542390ac223bcff3281bd5530a7a4d
SHA13d0e18b8902e53b8f52da850ff61403c12a7278f
SHA25684e36a6742490dfcc203ce8944fadabb57782e947143d67baeb0aff23d2b71f5
SHA51265aa3d079652d6877170726c4c6ac230d8698b0d0bfab4f7fb90f87a4f6b9cf3d0bbad419cae14f82728f643369da16cfa3460dffa5bf872c97f864d11b201f6