Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
ab89765475870055185af16aa054e783.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ab89765475870055185af16aa054e783.exe
Resource
win10v2004-20240226-en
General
-
Target
ab89765475870055185af16aa054e783.exe
-
Size
2.0MB
-
MD5
ab89765475870055185af16aa054e783
-
SHA1
c51f015a7af6c48430071249b6186c768b9a2583
-
SHA256
5e20c276fac39a67b690ea078f1ef488c4623f33b94b1ab15d1983b3eeb962cc
-
SHA512
9a3b7dd06ba605d686247ace58dfb972af2759360d64db67b8ce7ad93335f25a53ce0b9dfbe2698934e85bd2d8f1046d709f76ab03228af1d62c3e0ed5d26f22
-
SSDEEP
49152:WFUcx88PWPOpX0SFwjwJst1ZmnGVauHee7OafC5EylaJYKBV6XbyGc:W+K88uPCHOF1ZmGlHtOafPylaJKyGc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2696 626B.tmp -
Loads dropped DLL 1 IoCs
pid Process 2936 ab89765475870055185af16aa054e783.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2100 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2696 626B.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2100 WINWORD.EXE 2100 WINWORD.EXE 2100 WINWORD.EXE 2100 WINWORD.EXE 2100 WINWORD.EXE 2100 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2696 2936 ab89765475870055185af16aa054e783.exe 28 PID 2936 wrote to memory of 2696 2936 ab89765475870055185af16aa054e783.exe 28 PID 2936 wrote to memory of 2696 2936 ab89765475870055185af16aa054e783.exe 28 PID 2936 wrote to memory of 2696 2936 ab89765475870055185af16aa054e783.exe 28 PID 2696 wrote to memory of 2100 2696 626B.tmp 29 PID 2696 wrote to memory of 2100 2696 626B.tmp 29 PID 2696 wrote to memory of 2100 2696 626B.tmp 29 PID 2696 wrote to memory of 2100 2696 626B.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab89765475870055185af16aa054e783.exe"C:\Users\Admin\AppData\Local\Temp\ab89765475870055185af16aa054e783.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\626B.tmp"C:\Users\Admin\AppData\Local\Temp\626B.tmp" --splashC:\Users\Admin\AppData\Local\Temp\ab89765475870055185af16aa054e783.exe 0EE3968BFFFB6A12AA000B47AA224B024D751962D1498403B9A312E2451A9B453C947BF99FB837901762041D60181D87F01D966C3E6003882F45FB87EA9E74B92⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ab89765475870055185af16aa054e783.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD54046ff080673cffac6529512b8d3bdbb
SHA1d3cbc39065b7a55e995fa25397da2140bdac80c1
SHA256f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680
SHA512453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418
-
Filesize
2.0MB
MD5537437355f205d38edaa53ad04371e38
SHA11cb2be22dc543fe4934743111ed0db8126f83c15
SHA2569a92c2eaf47f4d0703775208b3ded915eaab3a2c5db5d0acfc7c99893998e14d
SHA5123c8db772e3814f4dcd4c2defad28d766e411e693adb06bfaf0f04f1c34638e0d13f942467c81a868a916876f650e6582cfac7a5536e51e3562ea4403bbc2c4e3