Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    46s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09/07/2020, 14:27

General

  • Target

    RFQ Request For Quotation.doc. .exe

  • Size

    1.0MB

  • MD5

    087a1ecc3d720b786d8cc8544bc469ed

  • SHA1

    721623d6904a1c9e8168c3f104840490b5b52491

  • SHA256

    dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab

  • SHA512

    ae12605396dc568f7da9d9fdfb5518bcedea190c0c7f3d39d9773c76fee41bc5f0daf966ca31bba6acccdc5be867e64a30c6c1deed2425713db1226c196d5981

Score
8/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 27 IoCs
  • Runs net.exe
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Views/modifies file attributes 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ Request For Quotation.doc. .exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ Request For Quotation.doc. .exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Modifies registry class
    PID:1732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\Adobe.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\Adobe03.bat" /quiet /norestart"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Modifies registry class
        PID:2440
        • C:\Windows\SysWOW64\net.exe
          NET FILE
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 FILE
            5⤵
              PID:2740
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\adobel.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3716
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\adobe01.bat" /quiet /norestart"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3012
              • C:\Windows\SysWOW64\attrib.exe
                attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe INC\AadobeRead\"
                6⤵
                • Views/modifies file attributes
                PID:4068
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\"
                6⤵
                • Enumerates system info in registry
                PID:3564
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\adob02.bat"
                6⤵
                  PID:3752

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads