Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 22:16
Behavioral task
behavioral1
Sample
4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
Resource
win10v2004-20220901-en
General
-
Target
4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
-
Size
143KB
-
MD5
6d5e05f8bf1017ed591fd60ffbb1360e
-
SHA1
ada2b46dc786b2fe41448b1e49e99eea14952ce3
-
SHA256
4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f
-
SHA512
9854f7a31316f9442a4058b6c510f351d9de0849eee4ecdb341e4556cfed036c992f74c21e97a0e7519bb22f8c3a4120a6f8b78aaf3081dbe4554e6545f7aee2
-
SSDEEP
1536:bmi+xxdgF45E4h2Hnq8OFnouy8CBZJalRG7IwKiCRa44v8Ls5:bmi+/dgy5Ef8doutaZJaQqLR34G8
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3740 osk.exe 220 WINWORD.EXE 2092 WINWORD.EXE -
resource yara_rule behavioral2/memory/4920-134-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/files/0x0004000000022e24-137.dat upx behavioral2/files/0x0004000000022e24-138.dat upx behavioral2/memory/4920-139-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/memory/3740-144-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/files/0x0004000000022e49-146.dat upx behavioral2/files/0x0004000000022e49-145.dat upx behavioral2/memory/3740-147-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/memory/220-150-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/files/0x0002000000022e4a-151.dat upx behavioral2/memory/220-160-0x0000000011000000-0x000000001103E000-memory.dmp upx behavioral2/files/0x0004000000022e49-159.dat upx behavioral2/memory/2092-163-0x0000000011000000-0x000000001103E000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation osk.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WINWORD.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: WINWORD.EXE File opened (read-only) \??\V: WINWORD.EXE File opened (read-only) \??\X: WINWORD.EXE File opened (read-only) \??\B: WINWORD.EXE File opened (read-only) \??\L: WINWORD.EXE File opened (read-only) \??\R: WINWORD.EXE File opened (read-only) \??\S: WINWORD.EXE File opened (read-only) \??\U: WINWORD.EXE File opened (read-only) \??\W: WINWORD.EXE File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE File opened (read-only) \??\M: WINWORD.EXE File opened (read-only) \??\P: WINWORD.EXE File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\K: WINWORD.EXE File opened (read-only) \??\N: WINWORD.EXE File opened (read-only) \??\O: WINWORD.EXE File opened (read-only) \??\Q: WINWORD.EXE File opened (read-only) \??\Y: WINWORD.EXE File opened (read-only) \??\F: WINWORD.EXE File opened (read-only) \??\Z: WINWORD.EXE -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Are.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Recently.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\These.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\WINWORD.EXE osk.exe File opened for modification C:\Windows\SysWOW64\Com\ctfmoon.exe osk.exe File opened for modification C:\Windows\SysWOW64\WINWORD.exe WINWORD.EXE File opened for modification C:\Windows\SysWOW64\WINWORD.EXE WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Com\ctfmoon.exe WINWORD.EXE File opened for modification C:\Windows\SysWOW64\DisconnectTrace.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Files.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Opened.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\StepSelect.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\TraceImport.enc WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3852 WINWORD.EXE 3852 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3740 osk.exe 3740 osk.exe 3740 osk.exe 3740 osk.exe 220 WINWORD.EXE 220 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 3740 osk.exe 220 WINWORD.EXE 2092 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3852 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 85 PID 4920 wrote to memory of 3852 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 85 PID 4920 wrote to memory of 3740 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 86 PID 4920 wrote to memory of 3740 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 86 PID 4920 wrote to memory of 3740 4920 4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe 86 PID 3740 wrote to memory of 220 3740 osk.exe 87 PID 3740 wrote to memory of 220 3740 osk.exe 87 PID 3740 wrote to memory of 220 3740 osk.exe 87 PID 220 wrote to memory of 2092 220 WINWORD.EXE 88 PID 220 wrote to memory of 2092 220 WINWORD.EXE 88 PID 220 wrote to memory of 2092 220 WINWORD.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe"C:\Users\Admin\AppData\Local\Temp\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f .docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3852
-
-
C:\Windows\Temp\_$Cf\osk.exe"C:\Windows\Temp\_$Cf\osk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\WINWORD.EXE"C:\Windows\system32\WINWORD.EXE"3⤵
- Executes dropped EXE
- Checks computer location settings
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\WINWORD.EXE"C:\Windows\system32\WINWORD.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727
-
Filesize
10KB
MD5abfae85b84450719d7fb32688424d589
SHA1bd7004d292afb6aec829eea1c27b13fa8c0259bc
SHA25610bf6ec69a070ea5d28c9f76efbb5100ce849bd3439bd2a8b3dbfa0584de88c0
SHA5120a57c1bfcf6989e5448b3dafdaccd91358d82ecdfa952bb739740aa838a75b745c6e1a238540a8013d776fa895feecf5e5a63b373517f1cb5d660b972d15ca49
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727
-
Filesize
134KB
MD516313c4d99088daa64cdc3863ec93335
SHA1d4169e346c9758ee85ec7b3750d87bf6785a56f6
SHA256597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad
SHA512e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727