Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04/05/2024, 09:42
General
-
Target
officeactivator.exe
-
Size
15.2MB
-
MD5
209635421416545cb239f7484909fcf8
-
SHA1
850fb53685bc7e70fe267aaed72f45ae7589ee03
-
SHA256
e71d9dae0ae73ca4950fd14cc868de8ffdc25985c93b033994631271c74c98e7
-
SHA512
c64adac9909f7c5f3e0e412b8403e2298d5698c33334f4571757c2c7276bcb820c70a7c48f7a17ccb546906007188dc798c8f3e9063faa8b00cfe7a90410bc0e
-
SSDEEP
393216:uLoWykOEywRjHw4sxA0gnItqy0wRoEbLNKE:bkPnRjQk0OVyV6yKE
Malware Config
Extracted
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab
Extracted
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Blocklisted process makes network request 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\officeactivator.exe"C:\Users\Admin\AppData\Local\Temp\officeactivator.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exe"C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\files\files.datfiles.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over5131780\v32.cab') }"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\expand.exe"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over51317802⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over5131780\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over4575397\v32.cab') }"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\expand.exe"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over45753972⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over4575397\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
765KB
MD5bb5569b15d68c10b7ff2d96b45825120
SHA1d6d2ed450aae4552f550f59bffe3dd42d8377835
SHA2564e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e
SHA512640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957
-
Filesize
12KB
MD50683e991aa4c85756dcd7976353a69f6
SHA10a6cfd8cee180fef48573d9397613ed1011c5de9
SHA256273422775a5e7e7b293dca576c28aa4668423b030fbf3978ac6d7327a5622ba0
SHA5124821ee5bb57ec87b5bd3901e37f7330785196be424309e5888705c19b42e61e095a3b30221dfc8d8d67e2a1829da9be1b78ca4fbc1c9e0390559d4ee9b7f5c9a
-
Filesize
10KB
MD51b70f9a025f172d8233b042481811329
SHA121adea9cb88b80b2d10d6c8b0ec6854e4f37b732
SHA256f7a7c4e9b329e1cecaa515bd58b332f71a537d74a82cf9edc5277248d2b4a5e3
SHA512b219ced87dd73bdeb09f4116eca0570f20f9809e2c068bd5c0cecefecbc99544afc44cdc0794755829037ad98df691bbe10ebd50dcaeed9f2ccc5dab26b446be
-
Filesize
12KB
MD568f361b7590a97c5af78f12081ad0fea
SHA1770826c0b3c2f318c84f4494b3ec11ed29b305b2
SHA2563e578124ae84dd719d4916c4e82cf1c1fbfaa0966376e3a89ed715b426c772fd
SHA5121fd7a79597617aa2ead885bfa9f54fcf40abd51770192cb59c47cde47a95629304a0e71b0dd9b2c81e9e98e1c025be19a4740b233ac3a40241d4c85824db6c30
-
Filesize
7KB
MD501586a772d941dff4b58493e8e031c8f
SHA187f06d0d6a5a1ba31c8cb5a922a994b2e35fc34e
SHA256121575c4c8d6f0bdab8816b7afb4d4c7d7b5f83154f7fe117a3752005e94fff6
SHA512e6bafd9b2551bc7497d9aee2039945beeafb0d15b463c9d758adf677d3b986ad88aab301f3488d673ad53dcffd2fb3cefebf9d99aa20a6bef002dcdde22fe0e3
-
Filesize
6KB
MD597541578d3d23d71c21714c040f02b92
SHA16cb08e629fe1b6f360ee7e118c8bfbb71cb1deb3
SHA256fdcd79d5b0b385d1b32359e53edecf20d1d73ddb059a7fa027cdb9e761464563
SHA512ecc49a1218e344a4d06302f1465e34d67534d313fd1d36332437b78b1008dbc8320bbb2593555fb8a3eedde9d8eb15b8fab1670c0ed150dc7c2473bb8da0876c
-
Filesize
31.2MB
-
Filesize
31.2MB
-
Filesize
31.2MB
-
Filesize
31.2MB