Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
5e6cc5735d0ade6949c115d0b57853af.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5e6cc5735d0ade6949c115d0b57853af.exe
Resource
win10v2004-20231222-en
General
-
Target
5e6cc5735d0ade6949c115d0b57853af.exe
-
Size
2.0MB
-
MD5
5e6cc5735d0ade6949c115d0b57853af
-
SHA1
304275ae624aa1a12eac83cda415b4acf9f30533
-
SHA256
ede16809d33515e9189397610f0e580c1016a7cca138823f94e20667f7badf11
-
SHA512
af0e18354c211b490797c57de85464ea7b6f2aa412c72c40b6b38f471e1a0e79c4416dd1262df2320f266e7bdd781c0a47777eb46f51c15be11a5b0be13ddc44
-
SSDEEP
49152:OFUcx88PWPOpX0SFrL5cS/W253ExzI9nzFXNpA1yGc:O+K88uPCHF5cSu7Rop0yGc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1968 3CD2.tmp -
Loads dropped DLL 1 IoCs
pid Process 2540 5e6cc5735d0ade6949c115d0b57853af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2804 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1968 3CD2.tmp -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2804 WINWORD.EXE 2804 WINWORD.EXE 2804 WINWORD.EXE 2804 WINWORD.EXE 2804 WINWORD.EXE 2804 WINWORD.EXE 2804 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1968 2540 5e6cc5735d0ade6949c115d0b57853af.exe 28 PID 2540 wrote to memory of 1968 2540 5e6cc5735d0ade6949c115d0b57853af.exe 28 PID 2540 wrote to memory of 1968 2540 5e6cc5735d0ade6949c115d0b57853af.exe 28 PID 2540 wrote to memory of 1968 2540 5e6cc5735d0ade6949c115d0b57853af.exe 28 PID 1968 wrote to memory of 2804 1968 3CD2.tmp 29 PID 1968 wrote to memory of 2804 1968 3CD2.tmp 29 PID 1968 wrote to memory of 2804 1968 3CD2.tmp 29 PID 1968 wrote to memory of 2804 1968 3CD2.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe"C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\3CD2.tmp"C:\Users\Admin\AppData\Local\Temp\3CD2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe 07792D10D594188045DEC28DA9E63A78F46511B47AF364F757C7047F2725F38BA686A4644F6B0C1AD8FE51E55E29B91D9E4C7BD622D6FF5F290379185129FA1F2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
527KB
MD53036ebb201da302e9fd1f97216e84b6f
SHA1a3b1007574794e0bcfc4d2d1cad95e4925dec685
SHA256bebf5783af6ded4b933685bcdba5715eeaec22a2fff65aae1c12a623268e4d1c
SHA51281d773874b20c58ff17a42f64a4711aa4171889283527f4378634f19153bc6023de00738241d24cc04594918e56fd1377c63d09d591ee0bbfad1e9e035b4ce94
-
Filesize
19KB
MD54046ff080673cffac6529512b8d3bdbb
SHA1d3cbc39065b7a55e995fa25397da2140bdac80c1
SHA256f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680
SHA512453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418
-
Filesize
1.2MB
MD5acfaca9d94b44a187e33255767ee3006
SHA195204663a94eb6db0fe2c2bf074f5e67f12df154
SHA2568d46e44fe63521a9f85d1384c4c70cb3be7bb0053dc048c106396dea5bfd1e9a
SHA512f1839c19b33781932ff25e462b685127e5917f850a7cf0054fc1687110bb52dbba3568053e549d2db0fcbfd55e34ad1229afabe0605f151b6ef983e23b6caf02