Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 17:09
Behavioral task
behavioral1
Sample
681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe
Resource
win10v2004-20231215-en
General
-
Target
681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe
-
Size
42KB
-
MD5
0ae0e189bbe1e33cc08e905ab98b0a69
-
SHA1
140ab08c71a4e1014f132ffae4428cbafcd7b8ad
-
SHA256
681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e
-
SHA512
5a7c567926bc24aab379b1ad1dfa866e992f4df39195165c8fb4941b8aada8cb1043ca7b7568051e29035c4473555345959477876f24d675555220b6aca52479
-
SSDEEP
768:EO1oR/DVS1RzK4wbs+D/SIJX+ZZ1SQQwVTIOPzDq1xTq3ZQJtCQ:EBS1FKnDtmTImq+3ZQX
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7555) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2720 wbadmin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Noronha 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCH98SP.POC 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jre7\lib\currency.data 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\+README-WARNING+.txt 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Ojinaga 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\THMBNAIL.PNG 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.[DF0D30C4].[[email protected]].mkp 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2264 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 760 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2260 vssvc.exe Token: SeRestorePrivilege 2260 vssvc.exe Token: SeAuditPrivilege 2260 vssvc.exe Token: SeBackupPrivilege 2564 wbengine.exe Token: SeRestorePrivilege 2564 wbengine.exe Token: SeSecurityPrivilege 2564 wbengine.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 760 wrote to memory of 2520 760 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe 29 PID 760 wrote to memory of 2520 760 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe 29 PID 760 wrote to memory of 2520 760 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe 29 PID 760 wrote to memory of 2520 760 681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe 29 PID 2520 wrote to memory of 2264 2520 cmd.exe 31 PID 2520 wrote to memory of 2264 2520 cmd.exe 31 PID 2520 wrote to memory of 2264 2520 cmd.exe 31 PID 2520 wrote to memory of 2720 2520 cmd.exe 34 PID 2520 wrote to memory of 2720 2520 cmd.exe 34 PID 2520 wrote to memory of 2720 2520 cmd.exe 34 PID 2520 wrote to memory of 324 2520 cmd.exe 38 PID 2520 wrote to memory of 324 2520 cmd.exe 38 PID 2520 wrote to memory of 324 2520 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe"C:\Users\Admin\AppData\Local\Temp\681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe"C:\Users\Admin\AppData\Local\Temp\681489e93c845e475a4ff0878a9244e9a1519668ecdffbe46507c9f3cfb20c1e.exe" n7602⤵PID:2628
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2264
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2720
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2244
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2372
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5188a9a72e507cbbbc03dd35d3540958c
SHA17faa9360d11290cadabc0beceaec5eb76c489343
SHA2569cbbebceb3bd201e96418d93d2e48cbcb302dc56499b5fc2b6f5ce33ff60cd7e
SHA512375dd83f5a6b195d02e5e58b9ef4e6e82903cbce4be1181ef64a0b215c2e4c5873705672b869feed20c209e8926034d84e51a3bb491f2c196f373895a551eff2