Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe
Resource
win10v2004-20231215-en
General
-
Target
0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe
-
Size
270KB
-
MD5
1eef02b9cecf23c530b292c68a481a1c
-
SHA1
c49760d63d957ebd6c1420ef176c5dadda039702
-
SHA256
0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f
-
SHA512
ca98eb08aa7c0fc851ed16ba57ca90a9d4fc98afd40b634ca3e2c0c661037d0a222db1259190acd159be833e6ca6da6c77c7e0084a851386b2ca5004e02e830d
-
SSDEEP
6144:XxohG5el4VQg/U+Dgx3bMAVVzddi6jWGPxF:XxodlK53DgZMSVFjW0x
Malware Config
Extracted
C:\Users\Admin\Contacts\Data breach warning.txt
https://qtox.github.io
http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion
http://161.35.200.18
https://gofile.io/d/ufuFye
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\Q: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\T: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\A: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\H: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\L: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\E: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\U: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\S: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\K: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\X: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\Y: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\I: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\O: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\G: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\N: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\V: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\B: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\W: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\R: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\P: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\J: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe File opened (read-only) \??\Z: 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\Finish.exe 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1596 vssadmin.exe 1704 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2964 vssvc.exe Token: SeRestorePrivilege 2964 vssvc.exe Token: SeAuditPrivilege 2964 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2416 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 29 PID 2228 wrote to memory of 2416 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 29 PID 2228 wrote to memory of 2416 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 29 PID 2416 wrote to memory of 1596 2416 cmd.exe 31 PID 2416 wrote to memory of 1596 2416 cmd.exe 31 PID 2416 wrote to memory of 1596 2416 cmd.exe 31 PID 2228 wrote to memory of 2176 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 35 PID 2228 wrote to memory of 2176 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 35 PID 2228 wrote to memory of 2176 2228 0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe 35 PID 2176 wrote to memory of 1704 2176 cmd.exe 37 PID 2176 wrote to memory of 1704 2176 cmd.exe 37 PID 2176 wrote to memory of 1704 2176 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe"C:\Users\Admin\AppData\Local\Temp\0150ca403ae96a68321d3529ae13bca57fd36c754a9d03a95b502cdf3221af0f.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1704
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7264a4c331eac851fa75438919e0531
SHA138f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA25607ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb