Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 02:55
Behavioral task
behavioral1
Sample
comn701bul.dotm
Resource
win7-20220901-en
General
-
Target
comn701bul.dotm
-
Size
23KB
-
MD5
12f938b403dc7d335c21703b67d23f81
-
SHA1
24a2355e905f6f6328830506077033e789941fa4
-
SHA256
ff70cb7fbe9723660b9a8e46ca828b31432be1abcd6fa372f934f0c702cfaeae
-
SHA512
e37f7a0aecfbe4aedd2171f878a232f193643c8870dd1ba5aa3a121c8ad284f4181a3d45ff6a0b1856961699aa7a6795a6694dac803fe83bb7123781fb8c69cf
-
SSDEEP
384:tmt4EDRI4j9hk9Z2Z5Yt2vE9Ar6Fjle+gq1ei+4Nxt/ZtNNTNKXY1/Ln4Whcjqhm:q4uphhcXAr6Fjle+f7ZxllN/ddOWHg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1420 MsUpdate.cpl -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1440 WINWORD.EXE 1440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1420 MsUpdate.cpl 1420 MsUpdate.cpl -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1440 wrote to memory of 1420 1440 WINWORD.EXE 84 PID 1440 wrote to memory of 1420 1440 WINWORD.EXE 84 PID 1440 wrote to memory of 1420 1440 WINWORD.EXE 84 PID 1420 wrote to memory of 3588 1420 MsUpdate.cpl 86 PID 1420 wrote to memory of 3588 1420 MsUpdate.cpl 86 PID 1420 wrote to memory of 3588 1420 MsUpdate.cpl 86 PID 3588 wrote to memory of 3580 3588 cmd.exe 87 PID 3588 wrote to memory of 3580 3588 cmd.exe 87 PID 3588 wrote to memory of 3580 3588 cmd.exe 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\comn701bul.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cplC:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cpl2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks -create -tn "MicrosoftUpdateStatisticCore Task-S-1-5-21-2629973501-4017243118-3254762364-1000" /XML C:\Users\Admin\AppData\Roaming\Microsoft\Tsk.xml3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\schtasks.exeschtasks -create -tn "MicrosoftUpdateStatisticCore Task-S-1-5-21-2629973501-4017243118-3254762364-1000" /XML C:\Users\Admin\AppData\Roaming\Microsoft\Tsk.xml4⤵PID:3580
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5f512ab1d4a38bdfe39451bf678f6bbae
SHA1f4d0be2ed6febb20b16e3cd0807a58c5efed7ea1
SHA256601243aef0e2f9e945dc5ae5324517d31726f452acd54543cc106d691687710e
SHA512d9c84b35f9b3504ca2214113e1325b44f13fd9b5171f8475789b935241316f335c14c9c80ef20aabc7236a21cb17e11ad5ebccff4f08d56f6c75f4c8e19c7bad
-
Filesize
87KB
MD5f512ab1d4a38bdfe39451bf678f6bbae
SHA1f4d0be2ed6febb20b16e3cd0807a58c5efed7ea1
SHA256601243aef0e2f9e945dc5ae5324517d31726f452acd54543cc106d691687710e
SHA512d9c84b35f9b3504ca2214113e1325b44f13fd9b5171f8475789b935241316f335c14c9c80ef20aabc7236a21cb17e11ad5ebccff4f08d56f6c75f4c8e19c7bad
-
Filesize
1KB
MD58d503de4bfa7a3df51772667b00c7720
SHA1768de237b92796ad74f5aeb392ebe4302a32feab
SHA2561ddc33fbec13a39e53946a319ac045908a28d191f326b600e81cf69e88d87488
SHA5128e5de4984001cb2784f39d033b321fe537ecd376530748e0e7a4225eec1e907cdc181b0da529cee90ce70b52da06e42c2037f5f0be67950d7fb86a471fdbf349