Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

Nicht best...13.doc

windows7-x64

10

Nicht best...13.doc

windows10-2004-x64

10

Resubmissions

30/09/2023, 07:51

230930-jpwaqsbc35 10

29/09/2023, 22:10

230929-13rm5sgc42 10

29/09/2023, 21:44

230929-1lmymagb76 10

Analysis

  • max time kernel
    595s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2023, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nicht bestätigt 788413.doc

  • Size

    2.1MB

  • MD5

    d7519b822434fb89fb3643bc2f450e23

  • SHA1

    4fcf10a8fe9db80c3eaf172636a602f95b64b0fc

  • SHA256

    732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f

  • SHA512

    d8b2e5eb888f3ca464e56aebcd6e4eab2b678739663aba90745e6d244a36a7e4e622afaa11f5a0a6effd5991cf26e37e4775837ff97c415ad5feee2969640e95

  • SSDEEP

    12288:t+xefqnAWcv37wHxULygl0kPf5h2BSoPy+OnwGcOuU4N5:oAqnAHTwHK+g00Cy+OnSOz4r

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 788413.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Public\rtwitoghbklj.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 4 /f /tn rtret /tr "C:\Users\Public\fghsd.bat"
        3⤵
        • Creates scheduled task(s)
        PID:2748
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 6 /f /tn sgsg /tr "C:\Users\Public\Pictures\oned.bat"
        3⤵
        • Creates scheduled task(s)
        PID:2852
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 8 /f /tn jhkff /tr "C:\Users\Public\chats\chats.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2544
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2784
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {99CFB13D-5956-49EA-B5AF-DCC07B33B4EF} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SYSTEM32\cmd.exe
        C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\system32\cscript.exe
          cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
          3⤵
          • Suspicious use of FindShellTrayWindow
          PID:476
      • C:\Windows\SYSTEM32\cmd.exe
        C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
        2⤵
          PID:2388
        • C:\Users\Public\chats\chats.exe
          C:\Users\Public\chats\chats.exe
          2⤵
          • Executes dropped EXE
          PID:580
        • C:\Windows\SYSTEM32\cmd.exe
          C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\system32\cscript.exe
            cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
            3⤵
              PID:2316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_.vbs
          Filesize

          374B

          MD5

          f7527f42289d19e38d328c8b9bf6c3c1

          SHA1

          11f79451278295174fc55e411ce43ae34a96a08e

          SHA256

          6b521ad07453a6c79a87e855c44861209f9ae687bb99f480e19d28b03dcfd9ac

          SHA512

          e80b3f93e3cca4352bb7c85b58c4486a331033531d9b83e3df35cd9ed2a7aef25eaa2b843f8f83b48d639fc9ea04608c0dcdf15b0a678cf0e4acb3c110dee82e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_.vbs
          Filesize

          293B

          MD5

          5c204cd90cd0fc8e06ae478a6060f8e8

          SHA1

          6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

          SHA256

          9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

          SHA512

          76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

          Download Submit

        • C:\Users\Public\chats
          Filesize

          10KB

          MD5

          5e4ef26e46869b1cfa9b7f803eed5b33

          SHA1

          26d00ed8633f7ce0ea433b29a88f3602e38b7b0f

          SHA256

          2ab4d420f543103c1f0188445a3a47eaa77817514573cb07cb8810903ae1f67d

          SHA512

          7d2b36ac7f982b2885577d4c0d7fc467959bed68a07667b073fbf0bb072fd810099745567afa4e7a41bd1f0ce5a61efbff082173212542b8a38762faa4bf988e

          Download Submit

        • C:\Users\Public\chats\chats.exe
          Filesize

          21KB

          MD5

          2cacf99569c85091ea987a02dc1e6bec

          SHA1

          b7bf707938cc0cef3d3e24be0c8748ee699beb15

          SHA256

          40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

          SHA512

          38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

          Download Submit

        • C:\Users\Public\chats\chats.exe
          Filesize

          21KB

          MD5

          2cacf99569c85091ea987a02dc1e6bec

          SHA1

          b7bf707938cc0cef3d3e24be0c8748ee699beb15

          SHA256

          40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

          SHA512

          38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

          Download Submit

        • C:\Users\Public\fghsd.bat
          Filesize

          712B

          MD5

          36b06d73347fe0da8177bd212e2b3f77

          SHA1

          f1fc033763b931a729b9da3eb29a0724fd3eb6b9

          SHA256

          a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9

          SHA512

          c2f90456644fd136c7ed33e83b9501d4c0323e294427b942a1bd078067be63ff3c5b3bc3c99f253b30d3ff579b64ef1699e3684612e9a4f4880e4a806f65c937

          Download Submit

        • C:\Users\Public\rtwitoghbklj.bat
          Filesize

          480B

          MD5

          2981447b673ed84cf8a20457f175ff52

          SHA1

          f92a9f28c9da1d09a8332d68287a74cd7d3a2538

          SHA256

          f9459c9065454839cd1306c2e7759513bc5d204eb9a8095f5d49bd88654d8309

          SHA512

          2ac7562bbf63d2befc037c02a6bd89d1d76e7df28004b151d7d6c4d61cfa0347a21879995b797f40da20da1ce763147cf18864e0a90906fbb71b74d190f8193b

          Download Submit

        • C:\Users\Public\rtwitoghbklj.bat
          Filesize

          480B

          MD5

          2981447b673ed84cf8a20457f175ff52

          SHA1

          f92a9f28c9da1d09a8332d68287a74cd7d3a2538

          SHA256

          f9459c9065454839cd1306c2e7759513bc5d204eb9a8095f5d49bd88654d8309

          SHA512

          2ac7562bbf63d2befc037c02a6bd89d1d76e7df28004b151d7d6c4d61cfa0347a21879995b797f40da20da1ce763147cf18864e0a90906fbb71b74d190f8193b

          Download Submit

        • memory/476-62-0x0000000001F50000-0x0000000001F51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/580-79-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2220-19-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-45-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-17-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-18-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-16-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-0-0x000000002F521000-0x000000002F522000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2220-21-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-24-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-25-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-11-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-44-0x0000000070E0D000-0x0000000070E18000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2220-13-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-46-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-47-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-48-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-9-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-10-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-8-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-7-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-5-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-6-0x00000000007E0000-0x00000000008E0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2220-2-0x0000000070E0D000-0x0000000070E18000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download