Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1205s -
max time network
1166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
WP#3272.html
Resource
win7-20220812-en
General
-
Target
WP#3272.html
-
Size
1.3MB
-
MD5
bde0e3672c5de82a86f83c6315c2eb95
-
SHA1
57dca61336755ce5631248e8b56642a369ffecc0
-
SHA256
65ccb33e111a2bfe4e74dafd5c3cb62f8dc4cfedb4492785dfc2d0838841b10e
-
SHA512
267bf372fa88917e928c5a65907fab19a9365f8f82532ea63c0edd221cd9f5882114163d9d0c31992057d5ab247bcb0dcb6e98662e18fb16e925938f5f338c45
-
SSDEEP
12288:swiSePqm22VGDFKObVwAfqmRw696LzA9kKS9EOIWV4T9OaJn267hjmFPpQx90DLz:mJ2P9Bfq+cGNrOIWyBOD6F0o4ghBgP
Malware Config
Extracted
qakbot
404.46
obama224
1669794048
75.161.233.194:995
216.82.134.218:443
174.104.184.149:443
173.18.126.3:443
87.202.101.164:50000
172.90.139.138:2222
184.153.132.82:443
185.135.120.81:443
24.228.132.224:2222
87.223.84.190:443
178.153.195.40:443
24.64.114.59:2222
77.126.81.208:443
75.99.125.235:2222
173.239.94.212:443
98.145.23.67:443
109.177.245.176:2222
72.200.109.104:443
12.172.173.82:993
82.11.242.219:443
92.149.205.238:2222
183.82.100.110:2222
176.142.207.63:443
92.24.200.226:995
69.119.123.159:2222
91.169.12.198:32100
64.121.161.102:443
124.122.55.68:443
12.172.173.82:995
85.231.105.49:2222
94.63.65.146:443
176.133.4.230:995
213.67.255.57:2222
90.89.95.158:2222
156.217.158.177:995
88.126.94.4:50000
87.57.13.215:443
102.159.83.36:443
121.122.99.223:995
216.196.245.102:2222
12.172.173.82:465
78.69.251.252:2222
76.80.180.154:995
75.143.236.149:443
109.11.175.42:2222
221.161.103.6:443
74.92.243.113:50000
75.98.154.19:443
47.41.154.250:443
49.175.72.56:443
81.229.117.95:2222
92.189.214.236:2222
83.92.85.93:443
108.162.6.34:443
84.35.26.14:995
136.232.184.134:995
188.54.99.243:995
93.24.192.142:20
75.84.234.68:443
71.31.101.183:443
80.13.179.151:2222
184.155.91.69:443
76.100.159.250:443
24.64.114.59:3389
46.246.245.152:995
70.115.104.126:995
197.2.209.208:995
50.90.249.161:443
70.66.199.12:443
216.196.245.102:2083
182.66.197.35:443
142.161.27.232:2222
76.127.192.23:443
92.207.132.174:2222
174.77.209.5:443
12.172.173.82:21
199.83.165.233:443
74.66.134.24:443
77.86.98.236:443
90.104.22.28:2222
71.247.10.63:50003
108.6.249.139:443
184.176.154.83:995
81.198.136.151:995
80.0.74.165:443
71.247.10.63:995
174.58.146.57:443
69.133.162.35:443
50.68.204.71:995
24.64.114.59:61202
47.34.30.133:443
12.172.173.82:50001
75.158.15.211:443
216.196.245.102:2078
181.164.194.228:443
193.154.207.221:443
213.191.164.70:443
197.92.135.188:443
172.117.139.142:995
76.20.42.45:443
24.64.114.59:2078
73.36.196.11:443
58.247.115.126:995
73.155.10.79:443
92.98.72.220:2222
84.113.121.103:443
2.50.47.109:443
12.172.173.82:990
106.212.18.255:995
98.147.155.235:443
92.106.70.62:2222
108.44.207.232:443
24.206.27.39:443
130.43.99.103:995
50.68.204.71:993
71.46.234.171:443
108.162.6.34:995
24.142.218.202:443
166.62.145.54:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
pid Process 4704 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 2608 net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3976 netstat.exe 4680 ipconfig.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\attachment.zip:Zone.Identifier firefox.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4884 powershell.exe 4884 powershell.exe 4704 rundll32.exe 4704 rundll32.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe 732 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4704 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 1388 firefox.exe Token: SeDebugPrivilege 3976 netstat.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeDebugPrivilege 2820 whoami.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeDebugPrivilege 1388 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1388 firefox.exe 1388 firefox.exe 1388 firefox.exe 1388 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1388 firefox.exe 1388 firefox.exe 1388 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1388 firefox.exe 1388 firefox.exe 1388 firefox.exe 1388 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1084 wrote to memory of 1388 1084 firefox.exe 83 PID 1388 wrote to memory of 1176 1388 firefox.exe 84 PID 1388 wrote to memory of 1176 1388 firefox.exe 84 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 3376 1388 firefox.exe 87 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88 PID 1388 wrote to memory of 4428 1388 firefox.exe 88
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\WP#3272.html1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\WP#3272.html2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.0.1951694526\1410177173" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1612 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 1792 gpu3⤵PID:1176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.3.50820148\455962081" -childID 1 -isForBrowser -prefsHandle 1528 -prefMapHandle 2440 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 2368 tab3⤵PID:3376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.13.315758764\1733898112" -childID 2 -isForBrowser -prefsHandle 2972 -prefMapHandle 2760 -prefsLen 897 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3024 tab3⤵PID:4428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.20.321864617\1646043501" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 7286 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3952 tab3⤵PID:4236
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3192
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\WP.vbs"1⤵
- Checks computer location settings
- Enumerates connected drives
PID:3432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\flag.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\madamSmuggler.txt DrawThemeIcon3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4704 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:732 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:2608
-
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵PID:4840
-
-
C:\Windows\SysWOW64\arp.exearp -a5⤵PID:2396
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:4680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵PID:388
-
-
C:\Windows\SysWOW64\net.exenet share5⤵PID:1324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵PID:1316
-
-
-
C:\Windows\SysWOW64\route.exeroute print5⤵PID:4216
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵PID:1848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:4752
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD566a6d4bb6da8d1683092f651421c028f
SHA181e7e9ecff5e59ce00829b4bb0a94ccc960b8b93
SHA25614efc89f9a135724fe635e0ce4f61c871b27358bc9b64c7408ab81bffe446424
SHA512bd0a002cc51d499b39d7bb7ae316d58df36c00bbcae2272ed2529274c67b6bb60a61f48484fae6804c392f18cf62bac10b968452b7498b0f099d6701e540c8c5
-
Filesize
577KB
MD566a6d4bb6da8d1683092f651421c028f
SHA181e7e9ecff5e59ce00829b4bb0a94ccc960b8b93
SHA25614efc89f9a135724fe635e0ce4f61c871b27358bc9b64c7408ab81bffe446424
SHA512bd0a002cc51d499b39d7bb7ae316d58df36c00bbcae2272ed2529274c67b6bb60a61f48484fae6804c392f18cf62bac10b968452b7498b0f099d6701e540c8c5