Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
c13a7c20e658b8c5f8e2958eaa94331e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c13a7c20e658b8c5f8e2958eaa94331e.exe
Resource
win10v2004-20240226-en
General
-
Target
c13a7c20e658b8c5f8e2958eaa94331e.exe
-
Size
2.0MB
-
MD5
c13a7c20e658b8c5f8e2958eaa94331e
-
SHA1
9ab3f9aba8a596fbc8fcfd43ef6f59a27476c57b
-
SHA256
8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f
-
SHA512
afc58c261fdee76fc47a91e7b93c345be60e0d3b224098568044808c5d8cc21e52fd6e931861ca27705a091b0fc5430988d3624447c72cc6540c30e9e4faee99
-
SSDEEP
49152:OFUcx88PWPOpX0SFEPCX/6bsqLZINvfhY+0l6YxTLyGc:O+K88uPCHuayQqu3hY+0l1LyGc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 4297.tmp -
Executes dropped EXE 1 IoCs
pid Process 3272 4297.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings 4297.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3332 WINWORD.EXE 3332 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3272 4297.tmp -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE 3332 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4044 wrote to memory of 3272 4044 c13a7c20e658b8c5f8e2958eaa94331e.exe 90 PID 4044 wrote to memory of 3272 4044 c13a7c20e658b8c5f8e2958eaa94331e.exe 90 PID 4044 wrote to memory of 3272 4044 c13a7c20e658b8c5f8e2958eaa94331e.exe 90 PID 3272 wrote to memory of 3332 3272 4297.tmp 94 PID 3272 wrote to memory of 3332 3272 4297.tmp 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\4297.tmp"C:\Users\Admin\AppData\Local\Temp\4297.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe 52EFD26ECDD19FA0D1C85E027B16309AE7621B92E88CDCF74EA217DA31C6A5F40831732B40DB8E56BBB79B3C443351CC5B079F3C01145667E543B780919F76E32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a09d2474910628e5f9387ffd5514547b
SHA1ac72716e54d434c3f09f6ff1f00a48d6a0b41601
SHA256d59e2d88a9fe1c219d4d87ae96b591fbdcce551076c28c65eb29c3444987c102
SHA51270a1a1bd1594599981877df4e9a73e90573fbfbe5242401d8eef8cf4007134c0ca21eaa5c86176d462d22c5ad78a7f04c5aebefda50ab0cb46c1dd97b03ee5f8
-
Filesize
19KB
MD54046ff080673cffac6529512b8d3bdbb
SHA1d3cbc39065b7a55e995fa25397da2140bdac80c1
SHA256f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680
SHA512453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418