Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
c13a7c20e658b8c5f8e2958eaa94331e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c13a7c20e658b8c5f8e2958eaa94331e.exe
Resource
win10v2004-20240226-en
General
-
Target
c13a7c20e658b8c5f8e2958eaa94331e.exe
-
Size
2.0MB
-
MD5
c13a7c20e658b8c5f8e2958eaa94331e
-
SHA1
9ab3f9aba8a596fbc8fcfd43ef6f59a27476c57b
-
SHA256
8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f
-
SHA512
afc58c261fdee76fc47a91e7b93c345be60e0d3b224098568044808c5d8cc21e52fd6e931861ca27705a091b0fc5430988d3624447c72cc6540c30e9e4faee99
-
SSDEEP
49152:OFUcx88PWPOpX0SFEPCX/6bsqLZINvfhY+0l6YxTLyGc:O+K88uPCHuayQqu3hY+0l1LyGc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1936 1620.tmp -
Loads dropped DLL 1 IoCs
pid Process 2260 c13a7c20e658b8c5f8e2958eaa94331e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2992 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1936 1620.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2992 WINWORD.EXE 2992 WINWORD.EXE 2992 WINWORD.EXE 2992 WINWORD.EXE 2992 WINWORD.EXE 2992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1936 2260 c13a7c20e658b8c5f8e2958eaa94331e.exe 28 PID 2260 wrote to memory of 1936 2260 c13a7c20e658b8c5f8e2958eaa94331e.exe 28 PID 2260 wrote to memory of 1936 2260 c13a7c20e658b8c5f8e2958eaa94331e.exe 28 PID 2260 wrote to memory of 1936 2260 c13a7c20e658b8c5f8e2958eaa94331e.exe 28 PID 1936 wrote to memory of 2992 1936 1620.tmp 29 PID 1936 wrote to memory of 2992 1936 1620.tmp 29 PID 1936 wrote to memory of 2992 1936 1620.tmp 29 PID 1936 wrote to memory of 2992 1936 1620.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\1620.tmp"C:\Users\Admin\AppData\Local\Temp\1620.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe 4F0951C49151D5AF87F1B0848364C29908503554A2942B5F6EC482F6A58A8EB18503B51AE41E04F8346CA2EA899A2A1B7C15EDB34455F25B3ACE210E0FA017892⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD54046ff080673cffac6529512b8d3bdbb
SHA1d3cbc39065b7a55e995fa25397da2140bdac80c1
SHA256f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680
SHA512453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418
-
Filesize
2.0MB
MD5ab2d2f86f77a9666415889702cb7aaed
SHA107725b1c322762b7bf01f97e82faea43c70cb5d3
SHA256219c47b848d5b87356995147a25e6cc6b4313f0293e3bc56e1a545a7e5acf466
SHA512623100ad1831e1b35f8aaeea9ae076c4a6ff8542114239b0d228250bdda8acca59b1e37249f4e8e9a5249d25e30c39e7eb24852d5977e846bf3dbc39ad22afbf