Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
112f03f4f459613b04f3687bda73adb0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
112f03f4f459613b04f3687bda73adb0.exe
Resource
win10v2004-20231215-en
General
-
Target
112f03f4f459613b04f3687bda73adb0.exe
-
Size
2.0MB
-
MD5
112f03f4f459613b04f3687bda73adb0
-
SHA1
080fab9f23b521fb34d24bbacb5ab0be69fd491f
-
SHA256
25466a99fe4be639cbceb8edcb5f63440ada94ec8d428cf186bc2a6ac5a79442
-
SHA512
f3764db06bfca61518b04ab25a2a7ae8c06dedf6e2c414994833f628a80c2003628f82e6917df31281055114a20ffe2d022c09361781c0666a0ec97cf83fe048
-
SSDEEP
49152:OFUcx88PWPOpX0SFlvEZvgVmyh59T0XM4n2kVqmn+IDRudyGc:O+K88uPCH8vRi9TYoYRDYdyGc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 46AE.tmp -
Executes dropped EXE 1 IoCs
pid Process 5876 46AE.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 46AE.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4576 WINWORD.EXE 4576 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5876 46AE.tmp -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE 4576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 804 wrote to memory of 5876 804 112f03f4f459613b04f3687bda73adb0.exe 22 PID 804 wrote to memory of 5876 804 112f03f4f459613b04f3687bda73adb0.exe 22 PID 804 wrote to memory of 5876 804 112f03f4f459613b04f3687bda73adb0.exe 22 PID 5876 wrote to memory of 4576 5876 46AE.tmp 72 PID 5876 wrote to memory of 4576 5876 46AE.tmp 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\112f03f4f459613b04f3687bda73adb0.exe"C:\Users\Admin\AppData\Local\Temp\112f03f4f459613b04f3687bda73adb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\46AE.tmp"C:\Users\Admin\AppData\Local\Temp\46AE.tmp" --splashC:\Users\Admin\AppData\Local\Temp\112f03f4f459613b04f3687bda73adb0.exe 5F232573703FD1908B5CD6065820FA63E9DF9CD0DA4298BB91F561C91A36C58CD454453CBEE0E6895428A0B32C587D28D02CE3955DC962FBF6B4FCDC9E39A5992⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\112f03f4f459613b04f3687bda73adb0.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5cf7fd13e92f7e1bbd0cad92c7ca192f6
SHA130dcc2a463a5bef6c98f8b5ea016e907a5fa8dc4
SHA2564b713e9fd4a2cb197b9c92f0449c1cea0b4edaa5c425f798280da3a69f3f547d
SHA512bb1f910b32e00d828f3efdcc5445871887c43df962bea2b01c2de3781dfc2c90b1063ef3dea053798890aaa09c52476d472db00000f84f855cab3b576b674975