Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
443_654.one
Resource
win10v2004-20230220-en
General
-
Target
443_654.one
-
Size
117KB
-
MD5
df1f29624394dc9466a59bce80a2e8d2
-
SHA1
56f95cd319944ed2bf59a3aac7da8e0b421d424e
-
SHA256
ac395e800318c64e376e897a38c0defcc7b78aa5439d8431a38c2e05377e49aa
-
SHA512
683d392f3497bd9af9f71cd7561547eb685a38149fa99ab6bc6019233a8f9caae10a7ed60037589f4703f194b1d39ece683a3f250dc79a6c960a2d1400ec915e
-
SSDEEP
1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXO:1BoC+tCYvSMVnte8ZP1Y6Je
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process 4200 1392 WScript.exe 66 -
Blocklisted process makes network request 1 IoCs
flow pid Process 48 4200 WScript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
pid Process 1836 regsvr32.exe 1136 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wkLPVZvnRqh.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NnCxReVpCIKTEsa\\wkLPVZvnRqh.dll\"" regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 48 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1392 ONENOTE.EXE 1392 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1836 regsvr32.exe 1836 regsvr32.exe 1136 regsvr32.exe 1136 regsvr32.exe 1136 regsvr32.exe 1136 regsvr32.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE 1392 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1392 wrote to memory of 4200 1392 ONENOTE.EXE 98 PID 1392 wrote to memory of 4200 1392 ONENOTE.EXE 98 PID 4200 wrote to memory of 1836 4200 WScript.exe 100 PID 4200 wrote to memory of 1836 4200 WScript.exe 100 PID 1836 wrote to memory of 1136 1836 regsvr32.exe 102 PID 1836 wrote to memory of 1136 1836 regsvr32.exe 102
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\443_654.one"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\click.wsf"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\radFD1B4.tmp.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NnCxReVpCIKTEsa\wkLPVZvnRqh.dll"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5ae25f2104967b2708ac9dba80aac52fd
SHA17ac0150b43cbb5eeba9a0f956e1291df6790f3bf
SHA25611b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56
SHA512d4a7f95631e7eb88fdadbe66d31bf9c7459d0f80ca2c9174952aad42bff6262241b25916e6a089f778990be981a2cf220baa69ad261314247c286397553decca
-
Filesize
567B
MD5d055ce625528e448c61315eaaef5bb71
SHA1029df4c872b1c154f32e7fe94f434547c3ba6192
SHA25685bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705
SHA512705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247
-
Filesize
48KB
MD5b7fc313714edd7866f4c76527282c2b5
SHA1c86217b46956933fae4a30483a63b33f34b8c503
SHA256b6d25f5eb52d5c24ef6c325bd25f18e413f3e23d20413a3693749275ba4b192c
SHA512038a73b7a69dd976c964f1538f5b4f7c6c64721e4f2f1a831815598faae84cac53305c03f5cea6e66acdc110a9a5117eee191345ea004b9576c752122f8d88f7
-
Filesize
9B
MD507f5a0cffd9b2616ea44fb90ccc04480
SHA1641b12c5ffa1a31bc367390e34d441a9ce1958ee
SHA256a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896
SHA51209e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\click.wsf
Filesize53KB
MD5ae25f2104967b2708ac9dba80aac52fd
SHA17ac0150b43cbb5eeba9a0f956e1291df6790f3bf
SHA25611b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56
SHA512d4a7f95631e7eb88fdadbe66d31bf9c7459d0f80ca2c9174952aad42bff6262241b25916e6a089f778990be981a2cf220baa69ad261314247c286397553decca
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\click.wsf
Filesize9B
MD507f5a0cffd9b2616ea44fb90ccc04480
SHA1641b12c5ffa1a31bc367390e34d441a9ce1958ee
SHA256a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896
SHA51209e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\radFD1B4.tmp.dll
Filesize309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{16A8E445-FADF-41F1-B58D-4DDB4484A50F}\NT\0\radFD1B4.tmp.dll
Filesize309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
-
Filesize
309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5