Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    270s
  • max time network
    279s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/jsr.exe

  • Size

    156KB

  • MD5

    3546548be0b0940c52ec881d48404818

  • SHA1

    0ded613db5266ffaeac2194bcdd86cec9559ee1c

  • SHA256

    dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

  • SHA512

    79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

  • SSDEEP

    3072:54aDWLMGZvucWE8J05yc8MG13TaSNofLt/64e:5niMG1uXE865389Mxo

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 3 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 60 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\system32\fsutil.exe
        fsutil usn deletejournal /d C:
        3⤵
        • Deletes NTFS Change Journal
        PID:2668
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\system32\fsutil.exe
        fsutil usn deletejournal /d D:
        3⤵
        • Deletes NTFS Change Journal
        • Enumerates connected drives
        PID:1404
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Windows\system32\fsutil.exe
        fsutil usn deletejournal /d E:
        3⤵
        • Deletes NTFS Change Journal
        • Enumerates connected drives
        PID:1368
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3624
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\net.exe
        net stop winmgmt /Y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop winmgmt /Y
          4⤵
            PID:4136
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause
        2⤵
          PID:840
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
        1⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          2⤵
            PID:988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads