Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
14/11/2023, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe
Resource
win10v2004-20231020-en
General
-
Target
02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe
-
Size
214KB
-
MD5
b9ad92028780facaaf64da860eac0e2d
-
SHA1
3e5fc7e74a0a1bb1cf272eaa55b3e26c5b2c6c00
-
SHA256
02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497
-
SHA512
fc15648488d57a7107e1084b103962b87c78036fac5d793e69a1d1247139e369946e8882df4001bd9e75301e20a63ef126fd01e22bb00288cd33ae2c1537e5e2
-
SSDEEP
6144:+j+cJdUpTi8csFW3UGDQYxRXRWubqOalwO:+5LUpTysRuQGRcuGR
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f82cc3d3.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\f82cc3d3 = "C:\\Users\\Admin\\AppData\\Roaming\\f82cc3d3.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*82cc3d3 = "C:\\Users\\Admin\\AppData\\Roaming\\f82cc3d3.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\f82cc3d = "C:\\f82cc3d3\\f82cc3d3.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*82cc3d = "C:\\f82cc3d3\\f82cc3d3.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-addr.es 5 myexternalip.com -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3060 vssadmin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1052 02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe 2604 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2528 vssvc.exe Token: SeRestorePrivilege 2528 vssvc.exe Token: SeAuditPrivilege 2528 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2604 1052 02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe 28 PID 1052 wrote to memory of 2604 1052 02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe 28 PID 1052 wrote to memory of 2604 1052 02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe 28 PID 1052 wrote to memory of 2604 1052 02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe 28 PID 2604 wrote to memory of 2644 2604 explorer.exe 31 PID 2604 wrote to memory of 2644 2604 explorer.exe 31 PID 2604 wrote to memory of 2644 2604 explorer.exe 31 PID 2604 wrote to memory of 2644 2604 explorer.exe 31 PID 2604 wrote to memory of 3060 2604 explorer.exe 32 PID 2604 wrote to memory of 3060 2604 explorer.exe 32 PID 2604 wrote to memory of 3060 2604 explorer.exe 32 PID 2604 wrote to memory of 3060 2604 explorer.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe"C:\Users\Admin\AppData\Local\Temp\02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵PID:2644
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dfcb4cc829c6c7879f242c47329b6877
SHA131cdb468e629b23638337133550ddf7feb3aef50
SHA256cb95852713d3e3bc78f4b987bee1d45ae70ffa3f4ab04286636c90b10cb7201e
SHA5125fcb16abc32cce9e0c24175e50a656c54a687902e5ac4052fa049f815abbc7a8533fe022a5339d2156ed63ca94a63fc6058afb1d4191d27e01c72534905d3a86
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf