Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 07:10

General

  • Target

  • Size

    330KB

  • MD5

    8c26c5bb599b606cc549ceef0d9d2da3

  • SHA1

    86a373936df7e753f7284efc63bf8970e9a56870

  • SHA256

    acc791703bc6e6ec9dcad7ef28ea5bcd1cf70f0a17412b28078daa66df5989d8

  • SHA512

    f05012ab52e2e88f0342d0a9fc52be210cdb4895035c4854592f350e24ddbcf48a710c25285c73a0462d51fe937540d491f5ce376e226558398cc1eb7bab2873

  • SSDEEP

    6144:ypBFADu1hgO8uoHKm9bDSN23GqcgCC/5t:sM6TgO1oHbHSN2334O

Malware Config

Signatures

  • Renames multiple (7752) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2876
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete
        3⤵
          PID:2672
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete
          3⤵
            PID:2736
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete
            3⤵
              PID:444
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete
              3⤵
                PID:2948
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:556
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete
                3⤵
                  PID:1524
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2912
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete
                  3⤵
                    PID:2956
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1388
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete
                    3⤵
                      PID:492
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:840
                    • C:\Windows\System32\wbem\WMIC.exe
                      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete
                      3⤵
                        PID:2192
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete
                      2⤵
                        PID:2216
                        • C:\Windows\System32\wbem\WMIC.exe
                          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete
                          3⤵
                            PID:2112
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete
                          2⤵
                            PID:580
                            • C:\Windows\System32\wbem\WMIC.exe
                              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete
                              3⤵
                                PID:1940
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete
                              2⤵
                                PID:1632
                                • C:\Windows\System32\wbem\WMIC.exe
                                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete
                                  3⤵
                                    PID:2160
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete
                                  2⤵
                                    PID:568
                                    • C:\Windows\System32\wbem\WMIC.exe
                                      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete
                                      3⤵
                                        PID:808
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete
                                      2⤵
                                        PID:3008
                                        • C:\Windows\System32\wbem\WMIC.exe
                                          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete
                                          3⤵
                                            PID:2596
                                        • C:\Windows\system32\cmd.exe
                                          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete
                                          2⤵
                                            PID:1320
                                            • C:\Windows\System32\wbem\WMIC.exe
                                              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete
                                              3⤵
                                                PID:1876
                                            • C:\Windows\system32\cmd.exe
                                              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete
                                              2⤵
                                                PID:1380
                                                • C:\Windows\System32\wbem\WMIC.exe
                                                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete
                                                  3⤵
                                                    PID:2024
                                                • C:\Windows\system32\cmd.exe
                                                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete
                                                  2⤵
                                                    PID:820
                                                    • C:\Windows\System32\wbem\WMIC.exe
                                                      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete
                                                      3⤵
                                                        PID:908
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
                                                      2⤵
                                                        PID:1080
                                                        • C:\Windows\system32\schtasks.exe
                                                          SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
                                                          3⤵
                                                            PID:1224
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2744

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\#Recover-Files.txt

                                                        Filesize

                                                        449B

                                                        MD5

                                                        e2a59a33e6c827a3317aa009e702e816

                                                        SHA1

                                                        003fa7c8adb28bcb99468f7e0b738308858b6af4

                                                        SHA256

                                                        ad3342ff420c93b547ac3ecd7cfb352bba70a57b67ff5985f2442507decf9f57

                                                        SHA512

                                                        f4c50931db6d051ac62217dca3e5d5ac080b02fda58bd9cb93a81553f6b8cf8369845e87e64e1d378d1fb5749ceadfde9c2b1eb142b512c7200dda5fe56dab99