Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
312s -
max time network
335s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 17:17
Behavioral task
behavioral1
Sample
fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
Resource
win10v2004-20221111-en
General
-
Target
fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
-
Size
82KB
-
MD5
ae033e0a65c0faabeb3d35ec072d2961
-
SHA1
a6160f176a5f2bfee83a5f24b1e8dbc2c754392f
-
SHA256
fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add
-
SHA512
d47ece53e340e937ceb088477d653fd44fb47a6c952dc025b4b78ed939e210265b3a8b23ecccc68236355498c9aea6e38aa65a2791a9cf72f42abb4163483f19
-
SSDEEP
1536:6mi+xxdgF45E4h2Hnq8OFnouy8CBZVDYTwtaRdoYVJ42+Jy/:6mi+/dgy5Ef8doutaZZYCajVJ4VJy/
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1820 osk.exe 2316 WINWORD.EXE 1776 WINWORD.EXE -
resource yara_rule behavioral2/memory/5112-133-0x0000000011000000-0x000000001102F000-memory.dmp upx behavioral2/files/0x000a000000022de3-138.dat upx behavioral2/files/0x000a000000022de3-139.dat upx behavioral2/memory/5112-140-0x0000000011000000-0x000000001102F000-memory.dmp upx behavioral2/memory/1820-145-0x0000000011000000-0x000000001102F000-memory.dmp upx behavioral2/memory/1820-148-0x0000000011000000-0x000000001102F000-memory.dmp upx behavioral2/files/0x0008000000022df9-147.dat upx behavioral2/files/0x0008000000022df9-146.dat upx behavioral2/files/0x0009000000022e02-151.dat upx behavioral2/files/0x0008000000022df9-153.dat upx behavioral2/memory/2316-154-0x0000000011000000-0x000000001102F000-memory.dmp upx behavioral2/memory/1776-161-0x0000000011000000-0x000000001102F000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WINWORD.EXE Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation osk.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Opened.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Recently.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Com\ctfmoon.exe WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Are.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\AssertTrace.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\Files.enc WINWORD.EXE File opened for modification C:\Windows\SysWOW64\WINWORD.EXE osk.exe File opened for modification C:\Windows\SysWOW64\Com\ctfmoon.exe osk.exe File opened for modification C:\Windows\SysWOW64\WINWORD.exe WINWORD.EXE File opened for modification C:\Windows\SysWOW64\WINWORD.EXE WINWORD.EXE File opened for modification C:\Windows\SysWOW64\These.enc WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1820 osk.exe 1820 osk.exe 1820 osk.exe 1820 osk.exe 2316 WINWORD.EXE 2316 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 1820 osk.exe 2316 WINWORD.EXE 1776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5112 wrote to memory of 4848 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 84 PID 5112 wrote to memory of 4848 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 84 PID 5112 wrote to memory of 1820 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 85 PID 5112 wrote to memory of 1820 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 85 PID 5112 wrote to memory of 1820 5112 fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe 85 PID 1820 wrote to memory of 2316 1820 osk.exe 86 PID 1820 wrote to memory of 2316 1820 osk.exe 86 PID 1820 wrote to memory of 2316 1820 osk.exe 86 PID 2316 wrote to memory of 1776 2316 WINWORD.EXE 87 PID 2316 wrote to memory of 1776 2316 WINWORD.EXE 87 PID 2316 wrote to memory of 1776 2316 WINWORD.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe"C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add .doc" /o ""2⤵PID:4848
-
-
C:\Windows\Temp\_$Cf\osk.exe"C:\Windows\Temp\_$Cf\osk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WINWORD.EXE"C:\Windows\system32\WINWORD.EXE"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WINWORD.EXE"C:\Windows\system32\WINWORD.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574
-
Filesize
26KB
MD598d2e1b1e786cefc381e7576dbac46f8
SHA18814708491d90b2e2788254a9bf38a163071d780
SHA2561d5ddea2a2d81381bab9514567e8556fe8f6848505c8627b0bcdcfc49d24871e
SHA5128e170c02ca257b77abec904d896bfede2c04d1dd25f5807379d3f4f5dc072ceeb3a5d2220c25ce9f2545bdbc21e6c2f19fe5f49fe8a8d922084127f841c52a5d
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574
-
Filesize
74KB
MD5862a96836fe55f230039047fc1897b6f
SHA156a56c039d90714cefe7d2e7bb02e13c2b04764c
SHA2560044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21
SHA512d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574