Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

23adb09c91...d1.pdf

windows7-x64

6

Resubmissions

02/11/2022, 07:35

221102-jeqmhaaca2 6

02/11/2022, 07:27

221102-jak68aabg7 1

02/11/2022, 07:14

221102-h2phaaabc6 6

02/11/2022, 07:10

221102-hzkrbaaba8 6

Analysis

  • max time kernel
    113s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2022, 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf

  • Size

    123KB

  • MD5

    5beb7c5ff96ef2dc04a9819c202b763c

  • SHA1

    da443ec9803434c6889d1ce29b68eba49410077d

  • SHA256

    23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1

  • SHA512

    07d180e2def2e3deda4f8b473ad8ff1dc9e2a86535f26b03c6d2322a2eca4a06732ca64d051494380027493cd5c2b1e4252f3261af66d53e9d4b192b60785af7

  • SSDEEP

    3072:CCiI2W/+oGlhxbRg5NpmqeBAmizCXNse6+rACvt2cq2p0FVbO7LcCDOrdUx07+:CW/+oGfk3mEmizuNse6SACvt2cSVbO7p

Score
6/10
collection

Malware Config

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • outlook_win_path
      PID:1092
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2e8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1432
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\perfc009.dat
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\perfc009.dat
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\perfc009.dat
    Filesize

    119KB

    MD5

    b5a572998b68d075ef4972d556821960

    SHA1

    cae7a6f6f376cde3c91c75ed054e8acec7c63e71

    SHA256

    db40f8581a44d7c7108d532eb3ebb266578ae83fcd1432313f9398c65bc560d6

    SHA512

    b970765afd7be6b6e5c5e77a9a941c780ba6843776eb33496a7d7aef613de6231869d8cb7a252eddfd69e26fee5ccba1e9a050758534c3fc3ad55ee611fd640c

    Download Submit

  • memory/1092-56-0x00000000708C1000-0x00000000708C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1092-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1092-59-0x00000000718AD000-0x00000000718B8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1180-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1600-60-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

    Filesize

    8KB

    Download