Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

02bebee27d...97.exe

windows7-x64

9

02bebee27d...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe

  • Size

    214KB

  • MD5

    b9ad92028780facaaf64da860eac0e2d

  • SHA1

    3e5fc7e74a0a1bb1cf272eaa55b3e26c5b2c6c00

  • SHA256

    02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497

  • SHA512

    fc15648488d57a7107e1084b103962b87c78036fac5d793e69a1d1247139e369946e8882df4001bd9e75301e20a63ef126fd01e22bb00288cd33ae2c1537e5e2

  • SSDEEP

    6144:+j+cJdUpTi8csFW3UGDQYxRXRWubqOalwO:+5LUpTysRuQGRcuGR

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe
    "C:\Users\Admin\AppData\Local\Temp\02bebee27daeff412d7da51c72a7df2b2296b18948d0c6933e0b56c54b5a7497.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
          PID:2644
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:3060
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dfcb4cc829c6c7879f242c47329b6877

      SHA1

      31cdb468e629b23638337133550ddf7feb3aef50

      SHA256

      cb95852713d3e3bc78f4b987bee1d45ae70ffa3f4ab04286636c90b10cb7201e

      SHA512

      5fcb16abc32cce9e0c24175e50a656c54a687902e5ac4052fa049f815abbc7a8533fe022a5339d2156ed63ca94a63fc6058afb1d4191d27e01c72534905d3a86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab8E4D.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8EBD.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • memory/1052-7-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1052-4-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1052-0-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1052-3-0x0000000000220000-0x0000000000223000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1052-2-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1052-1-0x0000000000220000-0x0000000000223000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2604-6-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2604-8-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2644-13-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2644-15-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download