Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
262s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
14/01/2024, 09:31
General
-
Target
483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
-
Size
974KB
-
MD5
45d20637261dea248644a849818659a0
-
SHA1
29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
-
SHA256
483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
-
SHA512
a9c935eb23fba99ba74299db7b8ac3a158183d9fe9ccaaa87e8a1b9d39c518d223563378d981e6bf386f058b159609fb42e14ca45c023f7688ca57e0c61d2519
-
SSDEEP
12288:fFDF/UI+c+xTOQUMnufZUgxXu/VzcccSCO4lkAjx9h/MR1V:fjnb+OQUMnufZ+tzcccSCO6ke3/Mf
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (110) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 17 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\reg.exe"reg" add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 02⤵
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM chrome.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM outlook.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM outlook.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM steam.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM steam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM msedge.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM msaccess.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msaccess.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM mspub.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM mspub.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM sublime_text.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM sublime_text.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM excel.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM windowsterminal.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM windowsterminal.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM winword.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c sc stop MySQL572⤵
-
C:\Windows\system32\sc.exesc stop MySQL573⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM taskmgr.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM code.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM code.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM powerpnt.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM powerpnt.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM onedrive.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM onedrive.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM mysqlworkbench.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM mysqlworkbench.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c sc stop MySQL802⤵
-
C:\Windows\system32\sc.exesc stop MySQL803⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM postgres.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM postgres.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c taskkill /F /IM cs2.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cs2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c sc stop MySQL822⤵
-
C:\Windows\system32\sc.exesc stop MySQL823⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c sc stop postgresql-x64-142⤵
-
C:\Windows\system32\sc.exesc stop postgresql-x64-143⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c sc stop postgresql-x64-152⤵
-
C:\Windows\system32\sc.exesc stop postgresql-x64-153⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "del C:\Users\Admin\AppData\Roaming\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"2⤵
-
-
C:\Windows\system32\cmd.exe"cmd" /c start msedge.exe --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen2⤵
- Checks computer location settings
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk C:\Users\Admin\Albabat\readme\README.html --edge-kiosk-type=fullscreen3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb924d46f8,0x7ffb924d4708,0x7ffb924d47184⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51fa3c8f23eab0b8e8da21c35732465d4
SHA1669905610346da1c6ec7258068d62944318d934c
SHA25699563038d5708307eb11185fac784b2417d7299d1ac29e851b67e71595343db9
SHA51246c7577186a9a4abee29eff08c9dd72b4e1da4bf0f1df88e13ba9b6977776e60e927856403d3bbbb94f8459dafcebecafb224cd4a0b264fa21df77e0f508c5c8
-
Filesize
7KB
MD5bc7fbec2b6bfc08d10e80979f735350d
SHA19ff6ac1b4437cbcbbab7b7fbd0d236a5fcfef38b
SHA256ca2d45495e9e49e699b4c54ad87c81c49b0060d7251c7f4b2e72f77288a9db48
SHA512c9bba74c9f4b24cf21861ec3629045c848e11f6872dc5a3b7c131d69c52ecb129772ae338b7861b19a9a4136980f9a1831a2e8c1d06df6475e56bc21c57476ba
-
Filesize
152B
MD5031aa3195deed5d81bd91623804406fc
SHA18781a825dfccbf5628e36e17c405c52e51bd0708
SHA25642552b42b3d26b771c94404ce7a006022d4fccdefb3a4e7b826b2f1cf76d29a8
SHA512e825a4926e5979d818bfa180a20d93a329c03272e8968fc2193a8c536f420c57f6235854bf2c94b5a19e4182ac1e6de2fafa2d7e23944d7ac6affb2ef695af67
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB