Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/05/2022, 18:25

220501-w2v7qaadhl 10

01/05/2022, 18:22

220501-wz279adge8 10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01/05/2022, 18:25

General

  • Target

    decrypt-decrypters/publicKey.xml

  • Size

    397B

  • MD5

    52e4bb13a8780d8180b2902b6214a32a

  • SHA1

    f78d461e51897af9a6dbc365031b24aca90def92

  • SHA256

    f29f3c1ab0db20f3550e78eba4a1bcec1dc76cd6df0c1b547d2229a27eb26160

  • SHA512

    3a6d5c8e863676792ec893d2f21f1314c342f294a95607032225bf12dd41f7935528bffcda43775b6059d1c7e0df746e993ca346780bf3822cd30c42ad3f145a

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\decrypt-decrypters\publicKey.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\decrypt-decrypters\publicKey.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3180 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1684
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:3240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3436-130-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-131-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-132-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-133-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-134-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-135-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-136-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-137-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB

    • memory/3436-138-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmp

      Filesize

      64KB