Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 17:30

General

  • Target

    801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe

  • Size

    18KB

  • MD5

    f31d6529ff4ad98053f9a8a9832f95e3

  • SHA1

    abdd5ce48e2d11a4c82fc90d9e9beeb14b437cee

  • SHA256

    801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e

  • SHA512

    25e452098a46f3ddf3cc6e268a94fa998d7c0de907741f436d10caf7be8c038163dc3a0f51516f3b4072085951eb5e44053b2e9f84a532c152bbf813a518a755

  • SSDEEP

    384:imwIxiBDXgRUV7JCGgmxt8mvA4ILbfNGHEDPUw3rXTXLazK:i6UVl7twPbfg2Uw3HXAK

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (207) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
    "C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log

    Filesize

    16B

    MD5

    eaad12a46a0053146c9dba2fdb67fdec

    SHA1

    8c3659922b7b6f3f951b9eda3aefc1839194b63c

    SHA256

    fdc60635a043081645af457780f58ddf754c16075e0b2f16e60b6fba1ca20139

    SHA512

    b7acbc365df9afd3ccd1f6ee2118ceee259de1d1c4db67b06b0271eb823cd221b9d80fe171a0fbf7b74775301b9b574b87b75ea824549dd9ba1a2091316ff546

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

    Filesize

    48KB

    MD5

    1eb4f4f78e3178ed4891dbbd4194b99a

    SHA1

    efa6a56f167681e687c2b4be8ccc6128dccddeab

    SHA256

    91119d188d96c652e17ddd4f02b942af77575e152324ac0866ad68cc10a23730

    SHA512

    6dfe419dbe2d3ebeaef7a934172ec5f1d07517d845aeae448eb2f7ee705532d954b9f10271901d136ea6eeaf6785343210f249f508c027700a3df632a02beaed

  • C:\Users\Admin\Desktop\WriteCopy.xlsx

    Filesize

    10KB

    MD5

    e14c4092aa8772729a2843b47dfbff31

    SHA1

    17b744a9fb61e9cd71bfa063b6d5f150c22424f7

    SHA256

    5f3793e0cc3522dc1c83a4c8195baa47a0af0d4c30f256b53afc70c83f05bf39

    SHA512

    f57e61738ede14193fcf563f3807fa9755ac1dd49dc9fc342405cddd241ec3d1ec412c42a4a795f7177c3a5b556f8b2e1ccf488e10f4a2d55657b52ba108fff6

  • C:\vcredist2010_x86.log.html

    Filesize

    80KB

    MD5

    3b4f0b88ad8898db67ce65e323099824

    SHA1

    6d5ff665551aa95fe5c34ce2323c4af01274182e

    SHA256

    ecb94ea77befc7ae592cbe0d8f66710739d97c762dd99f9125094884bdaa0e67

    SHA512

    8f15d858876f45372c6c4cdc2718d374dff6c074d1633b488e2b27d2a4121ea386b510cf11748697f31547163fe29db7403f124fde220dc81ce9a0dd07baa0ff

  • memory/880-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

    Filesize

    4KB

  • memory/880-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

    Filesize

    40KB

  • memory/880-416-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

  • memory/880-420-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

  • memory/880-421-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

    Filesize

    4KB

  • memory/880-422-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB