Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/10/2023, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
a58aab3bd2cfaa86f7557e33b096c905_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a58aab3bd2cfaa86f7557e33b096c905_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
a58aab3bd2cfaa86f7557e33b096c905_JC.exe
-
Size
40KB
-
MD5
a58aab3bd2cfaa86f7557e33b096c905
-
SHA1
656e534616387ea872005c8a1263a4303a2a1b03
-
SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
-
SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
SSDEEP
768:qZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqKNPWQHpa:OLsF2Kerc64sTiX2IV0Dhua
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2760 WINWORD.exe 2748 WINWORD.exe -
Loads dropped DLL 4 IoCs
pid Process 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 2616 cmd.exe 2616 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r" WINWORD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2724 PING.EXE 2708 PING.EXE 2644 PING.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2760 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 28 PID 2132 wrote to memory of 2760 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 28 PID 2132 wrote to memory of 2760 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 28 PID 2132 wrote to memory of 2760 2132 a58aab3bd2cfaa86f7557e33b096c905_JC.exe 28 PID 2760 wrote to memory of 2616 2760 WINWORD.exe 29 PID 2760 wrote to memory of 2616 2760 WINWORD.exe 29 PID 2760 wrote to memory of 2616 2760 WINWORD.exe 29 PID 2760 wrote to memory of 2616 2760 WINWORD.exe 29 PID 2616 wrote to memory of 2708 2616 cmd.exe 31 PID 2616 wrote to memory of 2708 2616 cmd.exe 31 PID 2616 wrote to memory of 2708 2616 cmd.exe 31 PID 2616 wrote to memory of 2708 2616 cmd.exe 31 PID 2616 wrote to memory of 2644 2616 cmd.exe 32 PID 2616 wrote to memory of 2644 2616 cmd.exe 32 PID 2616 wrote to memory of 2644 2616 cmd.exe 32 PID 2616 wrote to memory of 2644 2616 cmd.exe 32 PID 2616 wrote to memory of 2724 2616 cmd.exe 33 PID 2616 wrote to memory of 2724 2616 cmd.exe 33 PID 2616 wrote to memory of 2724 2616 cmd.exe 33 PID 2616 wrote to memory of 2724 2616 cmd.exe 33 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34 PID 2616 wrote to memory of 2748 2616 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a58aab3bd2cfaa86f7557e33b096c905_JC.exe"C:\Users\Admin\AppData\Local\Temp\a58aab3bd2cfaa86f7557e33b096c905_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\0000070F" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:2708
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:2644
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5bcbada1a62603db72924600482ccb493
SHA12186de6a0573d7ba00b52f43eee15d87b3bd62c3
SHA256b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d
SHA5128c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f
-
Filesize
40KB
MD5a58aab3bd2cfaa86f7557e33b096c905
SHA1656e534616387ea872005c8a1263a4303a2a1b03
SHA2565a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA5121fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
Filesize
40KB
MD5a58aab3bd2cfaa86f7557e33b096c905
SHA1656e534616387ea872005c8a1263a4303a2a1b03
SHA2565a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA5121fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
Filesize
40KB
MD5a58aab3bd2cfaa86f7557e33b096c905
SHA1656e534616387ea872005c8a1263a4303a2a1b03
SHA2565a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA5121fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
Filesize
40KB
MD5bcbada1a62603db72924600482ccb493
SHA12186de6a0573d7ba00b52f43eee15d87b3bd62c3
SHA256b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d
SHA5128c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f
-
Filesize
40KB
MD5a58aab3bd2cfaa86f7557e33b096c905
SHA1656e534616387ea872005c8a1263a4303a2a1b03
SHA2565a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA5121fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
Filesize
40KB
MD5a58aab3bd2cfaa86f7557e33b096c905
SHA1656e534616387ea872005c8a1263a4303a2a1b03
SHA2565a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA5121fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
-
Filesize
40KB
MD5bcbada1a62603db72924600482ccb493
SHA12186de6a0573d7ba00b52f43eee15d87b3bd62c3
SHA256b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d
SHA5128c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f
-
Filesize
40KB
MD5bcbada1a62603db72924600482ccb493
SHA12186de6a0573d7ba00b52f43eee15d87b3bd62c3
SHA256b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d
SHA5128c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f