Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RADICADO N...IO.msg

windows7-x64

10

RADICADO N...IO.msg

windows10-2004-x64

3

Analysis

  • max time kernel
    475s
  • max time network
    421s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2023, 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg

  • Size

    67KB

  • MD5

    19d328f7406463ea2cf9b0e478bb6ce6

  • SHA1

    f25caf90236a7e92a17d7fc571ed7f3beaa5d3b2

  • SHA256

    86b28c90ffb9ef1c63857df39f78dbcec1afc0e83cb972da80752f77c6d112f2

  • SHA512

    3996b1da007cb92b097dbd3efe627b472eb5a27e517898b9fe6293c13ad80fe5ffdda2fecb28d33fca9210ca21145dd3460d0e7b93fea02ae5728cf37fd61155

  • SSDEEP

    768:0fjVlusyvaOtMv7lnxrf1tsKhsKgsHFEO44FmwsyUz3dFd8eD5+c1N48:Q/CtMzlxrf1tJIsD7sygtFfZ1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg"
    1⤵
    • Modifies registry class
    PID:1392
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        PID:684
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3768
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\" -spe -an -ai#7zMap6379:176:7zEvent11918
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3856
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4680
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\" -spe -an -ai#7zMap5458:176:7zEvent1593
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1276

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg
      Filesize

      67KB

      MD5

      19d328f7406463ea2cf9b0e478bb6ce6

      SHA1

      f25caf90236a7e92a17d7fc571ed7f3beaa5d3b2

      SHA256

      86b28c90ffb9ef1c63857df39f78dbcec1afc0e83cb972da80752f77c6d112f2

      SHA512

      3996b1da007cb92b097dbd3efe627b472eb5a27e517898b9fe6293c13ad80fe5ffdda2fecb28d33fca9210ca21145dd3460d0e7b93fea02ae5728cf37fd61155

      Download Submit

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO.msg
      Filesize

      67KB

      MD5

      19d328f7406463ea2cf9b0e478bb6ce6

      SHA1

      f25caf90236a7e92a17d7fc571ed7f3beaa5d3b2

      SHA256

      86b28c90ffb9ef1c63857df39f78dbcec1afc0e83cb972da80752f77c6d112f2

      SHA512

      3996b1da007cb92b097dbd3efe627b472eb5a27e517898b9fe6293c13ad80fe5ffdda2fecb28d33fca9210ca21145dd3460d0e7b93fea02ae5728cf37fd61155

      Download Submit

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\__substg1.0_0065001F
      Filesize

      64B

      MD5

      4d66c6d10b81e897d5aa32dd5b7a61bd

      SHA1

      5c2ff0ec4cc4b672e6a874892896d9bab68b5e3d

      SHA256

      2167ffb99dcbd621f7b5fa238b702fce56b85c09d581f7830abcf0ae44abf38f

      SHA512

      0902d81012b0a334e8bb56487069791cdb9199350132c05455428309229c53f3d5aa614d4e36ceffd24568fbb8fea18176f604de0ec5e553c3b97a17d5f28d33

      Download Submit

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\__substg1.0_0070001F
      Filesize

      114B

      MD5

      691b11e2c4f8716640ee7ed8fd8df650

      SHA1

      bf5dc3b92e1114ea6276d55143ef3ca4d90f27cf

      SHA256

      69de83c1b3d206fa97e6627dc271026c207c86a692ad814807dbec5671ab814d

      SHA512

      2edd4018a893857938c4ed1862933357fc2f20ff21f6da29366f796b99a7d2b318128d910a9195f938041110570fa394c1a02c66092e93c930db4784c48273a5

      Download Submit

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\__substg1.0_3FF8001F
      Filesize

      58B

      MD5

      6ccdfcd382aa7b120d286f263e4b41ec

      SHA1

      9e43be2d0451e816f2678ca475b0b94c5b36c1ed

      SHA256

      83fd1288632f6cab4907feb6dcb8b8393ee10b3e98ab0caa6aab6c945f0138ec

      SHA512

      777364dfaf6519e44420fa4964db406b407774d1fcd6cac0daf9c9cbc0b12b4ca04c3aae5fd87830a3e367dda0349df07d5ae13632fab1165de9061c7286333f

      Download Submit

    • C:\Users\Admin\Downloads\RADICADO No. 881232-EF98-39823 DEMANDA FISCAL 11 DE JULIO\__substg1.0_4030001F
      Filesize

      58B

      MD5

      ade8e4310f2e1ffa02a24b5e22bc3510

      SHA1

      b2e5ce7e7f694f772056665782be8e82366a36a6

      SHA256

      a3c6c13f66eb7b92d3ce91e1cf523be4cd07e7a1294c2c1bff42312d4089a4a5

      SHA512

      3ec234ea9e5222dc8f803c66b1a6e48f9d3e6820abdf8711e3e58a88c3a3784d1b9247d060c750794cf62e589fb5e815bfeed0f3dc8c7882a33dd0233443175b

      Download Submit