Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2024, 17:11

General

  • Target

    8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe

  • Size

    42KB

  • MD5

    4a542b3b4d9160019cc5a76a881f787f

  • SHA1

    87137f376a99baea1931fed024b76fc871590840

  • SHA256

    8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661

  • SHA512

    2b20847fc0fa830c3190b9084cd43fe36cae279b0e4e06760b50e16714fbaef2a4eb9634f30acad96781266a7bba74f7190d93812e3a129a0ff04d14704e68e1

  • SSDEEP

    768:oO1oR/rVS1RzK4wbs+D/SIJX+ZZ1SQQwZuI6PzDf4rOcWNJLoYg:o5S1FKnDtkuIyjNJ8

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (8286) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
    "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
      "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe" n1056
      2⤵
        PID:2224
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3004
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2724
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 5
          3⤵
          • Runs ping.exe
          PID:2240
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe"
          3⤵
            PID:688
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2604
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:2656
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            1⤵
              PID:2124

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              652bd8c4558de7513bd43c6498d69f65

              SHA1

              b5190e1e338c787d40f9af53a3e49cf437e0beb8

              SHA256

              4503c726aaade64cdf3768570035b8512c9e23721657200d636d70ab44a5a5fe

              SHA512

              d6c6b64ce4968299c63ee64f2d22f781721792cec4333a0c1b14ea9c4a741e99bec2e23f1b26e203fe2d6e043d43e5a957d922796e31419dcedf13597c2826be

            • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

              Filesize

              470B

              MD5

              a4e7a9721a9ffef9f17e30de82036d5e

              SHA1

              4709a1182ebe118725e0170805ecc6a80df42667

              SHA256

              f8e189b16d13ba97744dd0c924df9e23d3d1f2020d625ba294ef0fe5ac408aef

              SHA512

              e960ec30ee81d04b6e4341c04ccc3d7aeeb1c48b4e43968cb6554788a25323b41a653678d0321a585ab5569e4eb28df098ac68e6b70b672080f1409516c23d66

            • C:\Users\Admin\AppData\Local\Temp\Cab28C7.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\Tar2985.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06