Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2023, 09:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://77.105.146.74/cc.exe
Resource
win10v2004-20230220-en
General
-
Target
http://77.105.146.74/cc.exe
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3496 created 3200 3496 cc.exe 40 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3496 cc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2952 3496 WerFault.exe 85 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9731bf4db045d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a6ac805d325974bb9e5fb792c8f2df50000000002000000000010660000000100002000000081da65ecc8ef9e82198d8605de306c1c3ccf16ee3d422043d204926c8dcc9044000000000e8000000002000020000000703ccd7b6d87b6d2c34a4851308c7edf5b4702de0abaf53392277479ea6049f8200000000706f0d5b86fef22e98b92c844476b04a5a7380879a4ea98a8f2f24de1e72bbf4000000083e315184cfa0c0d621d10a0e787a99503820c5595b25e0a35c273bcb9c3e8e92452c47ceb4dbae6bf6d1ee7304ee6a3a6e23c2ba80fc597fa969445bab3b565 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a6ac805d325974bb9e5fb792c8f2df500000000020000000000106600000001000020000000927aa5301e570deccf9edc7e088e4c8e09ddbbac30389dd9560d28c28d486008000000000e80000000020000200000002423cac46132f209e1e8f487f168c2844ab4ac27416d7ef9f99cab76252ae5f920000000acbce82c88c216ba5e419b02acccfafca787a6698189d6470478e66490a8db5e4000000017e959e9a0ffcd079526331281df3f0b82552a74f082dcbf3166ad13ff0bc910e716752ac4766580dc26c1a3d5f80f5fd677c6ecd0dbd36d6374982939ba312a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{500D2CB8-0B5C-11EE-BDA1-E2BD7878EA51} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039337" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "618241914" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09e8429699fd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "618241914" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{86EB572F-656B-4C52-A95F-07C5914CDB87}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31039337" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ef6729699fd901 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3496 cc.exe 3496 cc.exe 3496 cc.exe 3496 cc.exe 2216 certreq.exe 2216 certreq.exe 2216 certreq.exe 2216 certreq.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2184 iexplore.exe 2184 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2184 iexplore.exe 2184 iexplore.exe 1364 IEXPLORE.EXE 1364 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1364 2184 iexplore.exe 83 PID 2184 wrote to memory of 1364 2184 iexplore.exe 83 PID 2184 wrote to memory of 1364 2184 iexplore.exe 83 PID 2184 wrote to memory of 3496 2184 iexplore.exe 85 PID 2184 wrote to memory of 3496 2184 iexplore.exe 85 PID 2184 wrote to memory of 3496 2184 iexplore.exe 85 PID 3496 wrote to memory of 2216 3496 cc.exe 91 PID 3496 wrote to memory of 2216 3496 cc.exe 91 PID 3496 wrote to memory of 2216 3496 cc.exe 91 PID 3496 wrote to memory of 2216 3496 cc.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3200
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://77.105.146.74/cc.exe2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 9724⤵
- Program crash
PID:2952
-
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3496 -ip 34961⤵PID:4776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
422KB
MD50799c0591bf96a12fccb55454110f365
SHA11f501f4f3e84827ddc78d16dfa17e07e1aabf1a7
SHA2565e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308
SHA51249065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16
-
Filesize
422KB
MD50799c0591bf96a12fccb55454110f365
SHA11f501f4f3e84827ddc78d16dfa17e07e1aabf1a7
SHA2565e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308
SHA51249065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16
-
Filesize
422KB
MD50799c0591bf96a12fccb55454110f365
SHA11f501f4f3e84827ddc78d16dfa17e07e1aabf1a7
SHA2565e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308
SHA51249065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16