Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
05/07/2023, 10:05
Static task
static1
Behavioral task
behavioral1
Sample
Πληρωμή298434801TT.rtf
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Πληρωμή298434801TT.rtf
Resource
win10v2004-20230703-en
General
-
Target
Πληρωμή298434801TT.rtf
-
Size
32KB
-
MD5
9cb89bef1811eba255e7b7031218a10f
-
SHA1
57e58bf2ea5da5130aa375928bb366d0cabcb09f
-
SHA256
09fbc9ef18c64027c5bf9b1a89d46e2561e0eabc77f3fe1e22c39244a017370a
-
SHA512
1afd4e122fc4286d5f4fb4e4ccbcd3c7698a871d31f7bace0efce265d42bbe0bb7244128488ec15e24076e382cdfcc9276502ab0d504d71ff3bf5f242a70efd1
-
SSDEEP
768:vFx0XaIsnPRIa4fwJMPJ12uTyXpcdRbb3vgPcxOSKVuT:vf0Xvx3EMv/uXpcLLvMEZT
Malware Config
Extracted
remcos
Htfruning
seanblacin.sytes.net:6110
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
htfruning.exe
-
copy_folder
Htfruning
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
htfruning
-
mouse_option
false
-
mutex
Rmc-BIDEV2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2324 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3044 plugmperier457846.exe 2708 plugmperier457846.exe -
Loads dropped DLL 1 IoCs
pid Process 2324 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3044 set thread context of 2708 3044 plugmperier457846.exe 34 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2324 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2216 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2216 WINWORD.EXE 2216 WINWORD.EXE 2708 plugmperier457846.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3044 2324 EQNEDT32.EXE 30 PID 2324 wrote to memory of 3044 2324 EQNEDT32.EXE 30 PID 2324 wrote to memory of 3044 2324 EQNEDT32.EXE 30 PID 2324 wrote to memory of 3044 2324 EQNEDT32.EXE 30 PID 2216 wrote to memory of 2820 2216 WINWORD.EXE 33 PID 2216 wrote to memory of 2820 2216 WINWORD.EXE 33 PID 2216 wrote to memory of 2820 2216 WINWORD.EXE 33 PID 2216 wrote to memory of 2820 2216 WINWORD.EXE 33 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34 PID 3044 wrote to memory of 2708 3044 plugmperier457846.exe 34
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Πληρωμή298434801TT.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2820
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234B
MD5798db62c32e1a4d683ceeedb27889a39
SHA1b91ae393062ef28f49eda72c038132d40a3c524a
SHA256bdd7a93b14ce12d391a3041a3443d9bcff4729fb7ebcb584fb389d65aed78881
SHA512450ace0979c74c426587e21a7d51d8580ee390f70f4008daca4255bc2340c3a25889e397e4c7a88eeff97e67a6b1dbaf00d46aa1aa9b6969e48dae6d38a8bc1c
-
Filesize
20KB
MD59674269d1bc66fa59b040a0b94ffe96a
SHA17e295dbb45fddbd115450aecc506361f230f5fd2
SHA256eddaf9af82fa6ebf250830858be93540616a2720195604d56399d4985c1249d1
SHA51234947b85da0ca4f1e0dc58dd8014e943bd5ef8f2fa9a39e66086d6f6485768f8a1b033551e164153b8fb59abe20de71f4ddcbc4671aaf7293f80571b9b96f5a5
-
Filesize
917KB
MD553c2300cd80cc19026ff56c95835ecc9
SHA1f66b14b681aa9d71a884930fd5c6dc79fdbb0400
SHA25699ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587
SHA51238c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954
-
Filesize
917KB
MD553c2300cd80cc19026ff56c95835ecc9
SHA1f66b14b681aa9d71a884930fd5c6dc79fdbb0400
SHA25699ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587
SHA51238c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954
-
Filesize
917KB
MD553c2300cd80cc19026ff56c95835ecc9
SHA1f66b14b681aa9d71a884930fd5c6dc79fdbb0400
SHA25699ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587
SHA51238c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954
-
Filesize
917KB
MD553c2300cd80cc19026ff56c95835ecc9
SHA1f66b14b681aa9d71a884930fd5c6dc79fdbb0400
SHA25699ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587
SHA51238c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954
-
Filesize
917KB
MD553c2300cd80cc19026ff56c95835ecc9
SHA1f66b14b681aa9d71a884930fd5c6dc79fdbb0400
SHA25699ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587
SHA51238c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954