Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
8s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 13:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
VirusShare_368c01b181eda42d717feeff4291bb4a.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusShare_368c01b181eda42d717feeff4291bb4a.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
12 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
VirusShare_368c01b181eda42d717feeff4291bb4a.exe
-
Size
45KB
-
MD5
368c01b181eda42d717feeff4291bb4a
-
SHA1
d6a6df6a094b9d76a16c1c9d5ce16b9124ee50b1
-
SHA256
1a123a6b7cd4740e829d2e5178c718549d7d17bc7bb348e60fa7be6e1c683d72
-
SHA512
8c45f2bd544224de18c46e3ff90b6f75eca41d66be1636a3845e259df9618c33bab2120ee6f866edc4a490039729920c9708e5f600594e1b3a1ebacb17b904d3
-
SSDEEP
768:it4VZ1p/ija+1ImUqJsbEYY2Ixs4RhYuX5tOH2AFOmDDRLoJQ7zqAU6FbMPwl:Y4VZPqibA26sMK2GncKmA5
Score
9/10
Malware Config
Signatures
-
Detects ransomware indicator 3 IoCs
resource yara_rule behavioral1/files/0x0008000000012257-2.dat SUSP_RANSOMWARE_Indicator_Jul20 behavioral1/memory/832-47-0x0000000000400000-0x0000000000414000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 behavioral1/memory/2228-174-0x0000000000220000-0x0000000000225000-memory.dmp SUSP_RANSOMWARE_Indicator_Jul20 -
Renames multiple (95) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 2184 321.exe 2228 123.exe 604 sys3.exe -
Loads dropped DLL 6 IoCs
pid Process 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 2228 123.exe 2228 123.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 123.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png 321.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 321.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png 321.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 321.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png 321.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp 321.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 321.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png 321.exe File opened for modification C:\Program Files\7-Zip\History.txt 321.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png 321.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg 321.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg 321.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 321.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png 321.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png 321.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 321.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ShifR 321.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ShifR\ = "GFHWWRJZDKXSXJK" 321.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G3qe8q7fP9LpKJA.exe,0" 321.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell 321.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open 321.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK 321.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\ = "CRYPTED!" 321.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\DefaultIcon 321.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open\command 321.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G3qe8q7fP9LpKJA.exe" 321.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 604 sys3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 832 wrote to memory of 2184 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 28 PID 832 wrote to memory of 2184 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 28 PID 832 wrote to memory of 2184 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 28 PID 832 wrote to memory of 2184 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 28 PID 832 wrote to memory of 2228 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 29 PID 832 wrote to memory of 2228 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 29 PID 832 wrote to memory of 2228 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 29 PID 832 wrote to memory of 2228 832 VirusShare_368c01b181eda42d717feeff4291bb4a.exe 29 PID 2228 wrote to memory of 604 2228 123.exe 30 PID 2228 wrote to memory of 604 2228 123.exe 30 PID 2228 wrote to memory of 604 2228 123.exe 30 PID 2228 wrote to memory of 604 2228 123.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_368c01b181eda42d717feeff4291bb4a.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_368c01b181eda42d717feeff4291bb4a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\321.exe"C:\Users\Admin\AppData\Local\Temp\321.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1240
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41B
MD5c16b7ee867494ffa79384d9b32bb1a6c
SHA1ff8254cc19420e6a90f390acd3fa4404c658c1c4
SHA25651494ed614b90e1c9544ed82954e36dfe8c3e8b2b8e051c8d72a3b2fce58564e
SHA5125bb13b03d4cc8d4c9f6e4f255ddb4311d1b2d549200a9d4f6ac1db3b2e016f014c76b0304acf054f729efe960a72078bf323689b6e1c64389743ccb7f7d1833a
-
Filesize
10KB
MD55a27e6376a793f2857cf5dac8a4305da
SHA1fd4e4fed53f3f2f984a3d0e7984a1800f46d4cb4
SHA256c9b9fd42eb7276c8589655b4bb529890ef2b807ed5c7535978ec6bf89f870a5f
SHA51278bee85ad0983f14622724b07958af83bc32ec1332abacd4ed52cd2ccdacd9c5c2349e9e81dbfb60a6e5c1268a78efefcd70e555728a049b8fc0351ce856d3b7
-
Filesize
11KB
MD5f2d39b84b4e112a1d0fa4d4fa6ffa6af
SHA18598cdcf63911f6181d3b3b8aa0a11b3c781a250
SHA25648786527d3c37ad371cb79cd2aee7bb3a23ab04de2984398da691d5246a8f823
SHA512a8b854cb7cc7d12464532cd7896ae55d39b252bb9db26e9b2247f14dea802b987614ed366d513742d8e54504f5616cdb8a46ca80be6e736f219b348986bc06ee