Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 04:50
Static task
static1
Behavioral task
behavioral1
Sample
f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe
Resource
win10v2004-20240611-en
General
-
Target
f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe
-
Size
467KB
-
MD5
2a5ca275231114e49d9829a633a278b1
-
SHA1
8b1bba15700f18ef6bb7c4cf99d253a73815488a
-
SHA256
f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856
-
SHA512
51303d412fd023ccf49b7c363302b4b89da29c6b78193119f610d3c82bb5a91085b5c8933794fed0ae3657b1304f1f5feb01fa7faf4ddc688240d6094ce0fdc2
-
SSDEEP
6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DLvaI3DdyUHXD+T7BGS7oDwvE:PYO1QIubR5/tdyU3DFS7okvEyC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 3335.tmp -
Executes dropped EXE 1 IoCs
pid Process 3416 3335.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings 3335.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4596 WINWORD.EXE 4596 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3416 3335.tmp -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4568 wrote to memory of 3416 4568 f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe 82 PID 4568 wrote to memory of 3416 4568 f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe 82 PID 4568 wrote to memory of 3416 4568 f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe 82 PID 3416 wrote to memory of 4596 3416 3335.tmp 88 PID 3416 wrote to memory of 4596 3416 3335.tmp 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe"C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\3335.tmp"C:\Users\Admin\AppData\Local\Temp\3335.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe B933857452C2453ECC8820A667E997BEF6D038ED71ECFA963E225C14A074D0B2D68E74FA4F2B7DC5EBB73F83823C1FC2247AB19F403A7822843EE667A5DC40482⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
467KB
MD5d675b8512a649a72af7c3103f0c10cf4
SHA1b9806d9b9e39eaf6c035659795d53533e8d6344d
SHA2565f9784befccf0cd16b0f8cfa382d5fc64c6b0265b16bf5f19ed67a3aa82418f6
SHA5126dc42dfdf9c4fabbbe94359cbabd6849c08a3336c593b85651d838ac5f07e90e8c07540ed1d0fc2a064d774d9d33be9121880ff8cabd47728314a359bac6dc87
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.doc
Filesize35KB
MD559975947e6db92e743655ebdf2e3c495
SHA15e967d85a4df28f9fed485156919a14fb411d18d
SHA25683c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05
SHA5121cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84