Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2023, 10:24
Behavioral task
behavioral1
Sample
Document Purchase Order BNK-295980.msg
Resource
win10v2004-20231023-en
Behavioral task
behavioral2
Sample
PO_300000001553044_BNK-295980_0.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral3
Sample
PO_300000001553044_BNK-295980_0.pdf
Resource
win10v2004-20231020-en
General
-
Target
Document Purchase Order BNK-295980.msg
-
Size
264KB
-
MD5
616cf66aa84b76dbb575de88d65d6f80
-
SHA1
aa1d299b0de6e195c5177815c08082fcf4b9962f
-
SHA256
f7c753b43a9dd03a388e57237a14861e28db225e6c11ad3ea04a80143aad8a71
-
SHA512
545223b66f33aa8c34dbf6b2371a6c4d34c3f52b291ab76c16f99521723b1106388047e3f6fd5c6ee66edd64e1d18f72bb579adf90b6e86e1c92489a0252df40
-
SSDEEP
6144:Kh+EMdRduTOxCuTeg+kmpOUprp28qXwLx7UkaZCiFr9qUQl0rr:jRnxUr928FLxStDQl0rr
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4432 OpenWith.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4432 wrote to memory of 952 4432 OpenWith.exe 94 PID 4432 wrote to memory of 952 4432 OpenWith.exe 94
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Document Purchase Order BNK-295980.msg"1⤵
- Modifies registry class
PID:3864
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Document Purchase Order BNK-295980.msg2⤵PID:952
-