Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
27/11/2023, 14:46
Behavioral task
behavioral1
Sample
khaosat_trieuchung.doc_1
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
khaosat_trieuchung.doc_1
Resource
win10v2004-20231023-en
General
-
Target
khaosat_trieuchung.doc_1
-
Size
43KB
-
MD5
167949ba90da85c8b56878d95be19c1a
-
SHA1
d9d0e6f1f0d368d77897c784faf73019b36fbbe9
-
SHA256
9cafe1ff820182f2d33d662bc3b4018caf27c49d50242573f9620f06001c582f
-
SHA512
cfe9a3179f2ad7c1ad401fafaa8cc8d043cb994513d57e2e01c2b4133b4d0d3636ffa2af5b017d16fe044a97331832af10f40c06c2eebb47332915a74293be6d
-
SSDEEP
384:r+ql8iSUR/8dQwn+zmkYEbMGceEfzbm2ue0n0g5mrLI7aRBZy0jJxAtt:6qT/qMmkYUhEbyVe00g5mrLQaR6
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\.doc_1\ = "doc_1_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\.doc_1 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\doc_1_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2628 AcroRd32.exe 2628 AcroRd32.exe 2628 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2664 1720 cmd.exe 29 PID 1720 wrote to memory of 2664 1720 cmd.exe 29 PID 1720 wrote to memory of 2664 1720 cmd.exe 29 PID 2664 wrote to memory of 2628 2664 rundll32.exe 30 PID 2664 wrote to memory of 2628 2664 rundll32.exe 30 PID 2664 wrote to memory of 2628 2664 rundll32.exe 30 PID 2664 wrote to memory of 2628 2664 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\khaosat_trieuchung.doc_11⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\khaosat_trieuchung.doc_12⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\khaosat_trieuchung.doc_1"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD546531f32199983145438adeb8a98820a
SHA1ccc83279b847c2f20e9567af9177aa329a4c4124
SHA256c6da2360ec2e63068dd9da6a989daf468c61f9d76082fa7cff663f8a1348b8c9
SHA512a24da5eada3ce6e2e5a091b67d1c157f28db9631c6f86f5e3c818e231f079ae375af3461050cb5e469dbd3e9a4599ef19fa6297899571cf1249e9e1e52d33598