Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
Resource
win10v2004-20231215-en
General
-
Target
1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js
-
Size
709KB
-
MD5
79021e344431dfff5aa6547f543b4337
-
SHA1
75f6cad7afe2ba456fb3413d68d79257d798ba07
-
SHA256
1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c
-
SHA512
985473692be9809f9ef1729aec2847b9b98202e98b429739631efe3a223b9054fa5851da948f95b4c3d9d99c4533c1b7e98fc9a5b70721fba8646f6ca0af9c2e
-
SSDEEP
12288:1opI6Gm4TM8Nju/GZ34DGltz2BRJON0eIC8vHAX5TtL+i1GFRz6u:1opIOn/GZUGKhfAXNtDkFj
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1924 22975.exe 224 QQ.exe -
Loads dropped DLL 1 IoCs
pid Process 1924 22975.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ragelses = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Jevgenij\\Salderendes.exe" wab.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\forementioned\kirstis.ini 22975.exe File opened for modification C:\Windows\SysWOW64\forementioned\kirstis.ini QQ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1924 22975.exe 3840 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1924 set thread context of 3840 1924 22975.exe 119 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str QQ.exe File opened for modification C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str 22975.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\nuncupating.Enf 22975.exe File opened for modification C:\Windows\Fonts\Dagsarbejdes.fin 22975.exe File opened for modification C:\Windows\resources\0409\nuncupating.Enf QQ.exe File opened for modification C:\Windows\Fonts\Dagsarbejdes.fin QQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 2 IoCs
pid Process 968 taskkill.exe 1464 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4416 WINWORD.EXE 4416 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1924 22975.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4416 WINWORD.EXE 4416 WINWORD.EXE 4416 WINWORD.EXE 4416 WINWORD.EXE 4416 WINWORD.EXE 4416 WINWORD.EXE 4416 WINWORD.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1732 wrote to memory of 968 1732 wscript.exe 84 PID 1732 wrote to memory of 968 1732 wscript.exe 84 PID 1732 wrote to memory of 1464 1732 wscript.exe 87 PID 1732 wrote to memory of 1464 1732 wscript.exe 87 PID 1732 wrote to memory of 3792 1732 wscript.exe 89 PID 1732 wrote to memory of 3792 1732 wscript.exe 89 PID 1732 wrote to memory of 2804 1732 wscript.exe 91 PID 1732 wrote to memory of 2804 1732 wscript.exe 91 PID 1732 wrote to memory of 4964 1732 wscript.exe 93 PID 1732 wrote to memory of 4964 1732 wscript.exe 93 PID 1732 wrote to memory of 4804 1732 wscript.exe 95 PID 1732 wrote to memory of 4804 1732 wscript.exe 95 PID 1732 wrote to memory of 2076 1732 wscript.exe 97 PID 1732 wrote to memory of 2076 1732 wscript.exe 97 PID 1732 wrote to memory of 544 1732 wscript.exe 99 PID 1732 wrote to memory of 544 1732 wscript.exe 99 PID 1732 wrote to memory of 2028 1732 wscript.exe 101 PID 1732 wrote to memory of 2028 1732 wscript.exe 101 PID 1732 wrote to memory of 2112 1732 wscript.exe 103 PID 1732 wrote to memory of 2112 1732 wscript.exe 103 PID 1732 wrote to memory of 2096 1732 wscript.exe 105 PID 1732 wrote to memory of 2096 1732 wscript.exe 105 PID 2096 wrote to memory of 4416 2096 cmd.exe 107 PID 2096 wrote to memory of 4416 2096 cmd.exe 107 PID 1732 wrote to memory of 1924 1732 wscript.exe 109 PID 1732 wrote to memory of 1924 1732 wscript.exe 109 PID 1732 wrote to memory of 1924 1732 wscript.exe 109 PID 1924 wrote to memory of 3840 1924 22975.exe 119 PID 1924 wrote to memory of 3840 1924 22975.exe 119 PID 1924 wrote to memory of 3840 1924 22975.exe 119 PID 1924 wrote to memory of 3840 1924 22975.exe 119 PID 1924 wrote to memory of 3840 1924 22975.exe 119 PID 3840 wrote to memory of 224 3840 wab.exe 120 PID 3840 wrote to memory of 224 3840 wab.exe 120 PID 3840 wrote to memory of 224 3840 wab.exe 120
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1ec154ccf64f1c1e760c22f1884e6cb2af9a7c73f80cb3eb1ef04902ddcf4a3c.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /im winword.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /im winword.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f2⤵PID:3792
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f2⤵PID:2804
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f2⤵PID:4964
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f2⤵PID:4804
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f2⤵PID:2076
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f2⤵PID:544
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f2⤵PID:2028
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f2⤵PID:2112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" /MAX winword "C:\Users\Admin\Documents\These.docx"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" "C:\Users\Admin\Documents\These.docx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
C:\Users\Admin\22975.exe"C:\Users\Admin\22975.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Users\Admin\22975.exe"3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\QQ.exe"C:\Users\Admin\AppData\Local\Temp\QQ.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD586b537f94078514245fe7b6275ed5531
SHA154f72b7333b6a576ea33459caf8b2724f62a6c53
SHA2565c0bb327dcac9c309285814c460a54f91b83ee4a7c693bc6ec2aa2ae8c012eb2
SHA51293ab12385c7ab86d561d705c8cbf17da49c16686aa2262b7b9a4a98ed4e307f5908efa8004f619bb019768989d2368834e20a18c723602454e4728ef31a34272
-
Filesize
497KB
MD5b3e117728535ed7edad599e698cafbc2
SHA12ea334afa266e29515855f809627b09c032168e8
SHA2569e3c4a258c4f20711f53dda2f00dacf9a6ae3a673cd2b8d54b4811fe4fd62bf7
SHA512d964fada7344bdf95964dc7159b4b1c550d6c6d0c35263c96f7b32bd489cf38f796198bb97548dd6868ef09f72e8ab273208c33e981419b85c506acbad436b29
-
Filesize
469KB
MD546bbacb63c2f6c440be347e99210c3a3
SHA18b3f6920bf657fd1973069540ec5990b2033e69a
SHA2563b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e
SHA512f51dafe7612d294a70872064d9c8b1352598def99242134e4dd5aa03ef62614d3222d5b430a8bb26fa63b7e177ec7229467bae58b1e86a0775a052dcab38f7d8
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
Filesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD577b4c012bee9e4733d214029a8098b1e
SHA1f1fcaee75556a0c0a4d4fc9de8ed8f1b33f467e6
SHA256904ca55604a55f8effacb2a8f6f115f868904b04db43140f45759868728f4e00
SHA51242ea8f03cb809aa3c8e01ccd26d723ab5e2010b506f7e9ae50fd853a248f6605db2c516cef9a4ef97fdec3db24e8fbdf64699fb789f596746ee08e204f330a99