Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21/03/2023, 23:29
Behavioral task
behavioral1
Sample
c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc
Resource
win10-20230220-en
General
-
Target
c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc
-
Size
245KB
-
MD5
742bd4ba74940549338dc1715192d99c
-
SHA1
793e2a75e17c37ab42ac46fb1683a01b23b60315
-
SHA256
c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841
-
SHA512
a2235e0c6679076ab2be7bc834fa6ed8c7b0f22db1e821f14fe7cc4e4731848371d9e6b8e27dae1b204b762e97059bda3fcc1c63c6af647953604bfffdc8957d
-
SSDEEP
3072:zORzi7NJxZv/H11khtBO8E1CcQZKwKUHblp+akplFapqZU5OVbjnow:SRG7LL3HutFaCcy7XblEagFakZU5O
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3308 2264 regsvr32.exe 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2264 WINWORD.EXE 2264 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2264 wrote to memory of 3308 2264 WINWORD.EXE 69 PID 2264 wrote to memory of 3308 2264 WINWORD.EXE 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\002953.tmp"2⤵
- Process spawned unexpected child process
PID:3308 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VONkDoiQUMPIDeQG\FHrxmpqtV.dll"3⤵PID:924
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455.1MB
MD5f6cb1cfe0d32ef30d459017eb25fe2dd
SHA1f70dc1cf95f6b47885a786359c9c28bb9bad7da7
SHA2565b98fdf4d3a535141bc645a892fa6f13b9c80fadea74d596dd8254cbf53ea373
SHA512706bdf22ea700f131fed29bcc4c5e2dacaf7262d51a6ea0c2a6a9748bef121da27ec9cc6f7b2e47ea30fcbc9f666eef14b26f4dc6b4f09d36d87711a175adaa4
-
Filesize
984KB
MD5ffec2c48d1641a54d5e6d4d34566b304
SHA1492f6885bcd96b54caec9d4f700ab6d4674fc989
SHA25671e5b8bcc439d7c28ce77eedbb8416f8934ad7565c1631ec8208a0b2bfc174ea
SHA51222d1640dce811e4fe937cf74d808bd3f0a9d4b1f2061c4ee17e726dd78d1c8203645e6958e6f9ac0386010c2ecc716eed77535547ad601cca7f482e1cda36243
-
Filesize
454.8MB
MD5175f28b0dfe6389bf511f1acecbf25f9
SHA162c04d11280fd2471d81ae03e83649bbada5592c
SHA2563c5d0a0e330c24ccac99cd6d119696f3abebeca74f38cddcc065f926026414d6
SHA51248c2c5b207e075b0e52f763182e2c93bee1fe4a20e7ab5618b245495ede7f34c7c9e4648ed2583b520e3ab7673f9b37b6333491d04bcef5db7abdf87345a885a