Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

EXTERNAL D...ns.msg

windows7-x64

5

EXTERNAL D...ns.msg

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2023, 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXTERNAL Deductions.msg

  • Size

    99KB

  • MD5

    14bf94e81fe592798a3cc26ed75cd576

  • SHA1

    ee948fa6663c561b172c83d8f00e0df87fc429a7

  • SHA256

    9f553b4acde4443b399b35183576efbe2a4a1930cef35a01892bea93687cdf58

  • SHA512

    1dc106cf823db79da865a99e1cafbb9a7e22c879698f2b7a7ce927c006a3943abd7c7728dfd8d794153a0f62d4f206ef440d5db18eba55a095fd555bc77196f7

  • SSDEEP

    1536:HH7GtKQWiXIcfewjWczWMvmsYETwRrv71F3CwQX20K:n7G8QWiXheKvNcA

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\EXTERNAL Deductions.msg"
    1⤵
    • Modifies registry class
    PID:2764
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\EXTERNAL Deductions.msg
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2136
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\EXTERNAL Deductions.msg
        3⤵
        • Modifies Internet Explorer settings
        PID:388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:17414 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4412
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\EXTERNAL Deductions.msg
        3⤵
        • Modifies Internet Explorer settings
        PID:2648
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:17418 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4468
  • C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
    1⤵
      PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      4KB

      MD5

      1bfe591a4fe3d91b03cdf26eaacd8f89

      SHA1

      719c37c320f518ac168c86723724891950911cea

      SHA256

      9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

      SHA512

      02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      8e225693e0f5e0fe87b6c0651cc02e7b

      SHA1

      26f2699564942c92abc40938ddebbe3ee752a044

      SHA256

      d4d434f4c320c2628b270061249396b5897cd93387353aaa36c8324442c3e05f

      SHA512

      e81e1612829fc792d4c9f7b015c052b6bd3e384f7301fcbf7eb485fb8b94d2d16fd152034253ec74f9d0578eb5c669a607a0c1b8ef007fb5f5263ac9078e220b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      338B

      MD5

      ff9a99bc53ecc2bdfe3c61c666296aa0

      SHA1

      c3714ad21dd2fea8b75ff5d01db6c4a3ec65d0ee

      SHA256

      c5f1b12ba5d9355bc4039994abbfb0dcffb0d5bcea098346acbf2d1045981d70

      SHA512

      89cd9d5eeb3258b21d940b3e2404c8b99f11b6bb3b04cc7963be899fbe01d48c530890049dd676161bab799b44a65fc9f9c83e5d806f064ae07950820eca8760

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      72c1a0abfa22f2b9a01d1f88fdb7b2d4

      SHA1

      f0c2d5c4af96472570baeb6360f91ca417bc415e

      SHA256

      48d1f73d669164c8a2c31d44a71ce8329c80f53159c8e85090326b7eab49524b

      SHA512

      e3f634b70d92affcf314e8b867006745fcfb9e8d3ba87d61b24ff3ad7769e1a15a8a6ed135f06543452a15bc4852a6d840e0d1478d6e684d97d1f8dfbd413480

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF6E9.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit