Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    224s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2023, 16:47

General

  • Target

    sample.exe

  • Size

    129KB

  • MD5

    c50a3e0b68062be34e05f6761f0f75ff

  • SHA1

    0cb1fea6f126d57977ca84ad68a3f758ca745c7a

  • SHA256

    9fb8f797f53dceb4731688f8688eccbe7d137665d7f2542070e2b2cf7371a6ce

  • SHA512

    126b08fd7ee107929869ef39ad226a9089be6e46e5fb077929e692195505c25b159663415c0eb7754ab2b9a1154943e6e48c37a5b157be3f386ef0984bb781ba

  • SSDEEP

    3072:iLbLpVIYbQf91G3im/2Ef07Jysgxv8Ofr4pt6Y46ab6koEMQBfjS3f2vYeBgrOi4:iTpVLvxyq6ko0BSveYprzOu3Scur06

Score
9/10

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (497) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2748
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\FILE ENCRYPTED.txt

    Filesize

    324B

    MD5

    22542390ac223bcff3281bd5530a7a4d

    SHA1

    3d0e18b8902e53b8f52da850ff61403c12a7278f

    SHA256

    84e36a6742490dfcc203ce8944fadabb57782e947143d67baeb0aff23d2b71f5

    SHA512

    65aa3d079652d6877170726c4c6ac230d8698b0d0bfab4f7fb90f87a4f6b9cf3d0bbad419cae14f82728f643369da16cfa3460dffa5bf872c97f864d11b201f6