Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    112s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 13:02

General

  • Target

    3edf17f985bf68be123edc894fd61190N.exe

  • Size

    5.7MB

  • MD5

    3edf17f985bf68be123edc894fd61190

  • SHA1

    8e2cd7b91073c1d792972742b89974f3ccfec3c7

  • SHA256

    2f348d6a86b7c5196f1e8e44de7e4f4716707af48367e3746e960bf0099c8fdf

  • SHA512

    051a23653fbae90df49e28f8a059eee681e7c19ae33df3be865929332a84a14ed198979fbbcaa410cfa78900f8384bb8a0dbf40fc873ffe8c0f703c0738208e4

  • SSDEEP

    98304:gCQUA1OjhJTlBR1AebLrfjBevMu9Rqxkgn6lnwOmQvcQunlmoixgeXueb1:gCPhh1RrbLrfjBYRFbnR1EQunlmokgeb

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe
    "C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe
      "C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SYSTEM32\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:3028
      • C:\Windows\SYSTEM32\net.exe
        net stop winmgmt /Y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop winmgmt /Y
          4⤵
            PID:1876
        • C:\Windows\SYSTEM32\vssadmin.exe
          vssadmin delete shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:3000
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4400
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2612-0-0x00007FF734A00000-0x00007FF735510000-memory.dmp

      Filesize

      11.1MB

    • memory/2612-7-0x00007FF734A00000-0x00007FF735510000-memory.dmp

      Filesize

      11.1MB

    • memory/3008-1-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-5-0x00007FF734A00000-0x00007FF735510000-memory.dmp

      Filesize

      11.1MB

    • memory/3008-6-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-2-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-3-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-8-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-9-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB

    • memory/3008-10-0x0000000140000000-0x00000001404A2000-memory.dmp

      Filesize

      4.6MB