Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe
Resource
win10v2004-20231215-en
General
-
Target
1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe
-
Size
270KB
-
MD5
49f2be089ed87da030c5d331a8a9da66
-
SHA1
f7fbc851936c3b90b2029d3f7f0b134e601dcd44
-
SHA256
1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c
-
SHA512
67631a14501c573d6abeb31fce5177af7191c1cf799feced7e00ed4ecb9da7cc34d90279c397ba264274a862dacaf9a1929c096aa1d48ba49f3066a9d91a154f
-
SSDEEP
6144:XqohGKel4VQg/U+Dgx3bMAVVzddi6jWGPxF:XqoGlK53DgZMSVFjW0x
Malware Config
Extracted
C:\Users\Admin\Data breach warning.txt
https://qtox.github.io
http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion
http://161.35.200.18
https://gofile.io/d/ufuFye
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\O: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\P: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\N: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\M: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\W: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\R: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\U: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\S: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\H: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\L: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\A: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\G: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\J: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\K: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\Q: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\T: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\Y: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\I: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\Z: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\X: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\V: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe File opened (read-only) \??\B: 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\Finish.exe 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2660 vssadmin.exe 2508 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2568 vssvc.exe Token: SeRestorePrivilege 2568 vssvc.exe Token: SeAuditPrivilege 2568 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2956 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 29 PID 3028 wrote to memory of 2956 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 29 PID 3028 wrote to memory of 2956 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 29 PID 2956 wrote to memory of 2660 2956 cmd.exe 31 PID 2956 wrote to memory of 2660 2956 cmd.exe 31 PID 2956 wrote to memory of 2660 2956 cmd.exe 31 PID 3028 wrote to memory of 2576 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 35 PID 3028 wrote to memory of 2576 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 35 PID 3028 wrote to memory of 2576 3028 1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe 35 PID 2576 wrote to memory of 2508 2576 cmd.exe 37 PID 2576 wrote to memory of 2508 2576 cmd.exe 37 PID 2576 wrote to memory of 2508 2576 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe"C:\Users\Admin\AppData\Local\Temp\1773b284d3dd1e06be6dd92012d05720471395affc653874aa34636bf58d328c.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2508
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7264a4c331eac851fa75438919e0531
SHA138f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA25607ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb