Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
Нападение на американские космические системы очень д.scr
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Нападение на американские космические системы очень д.scr
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Новый щит и новый меч Вооруженные Силы России и США.doc
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Новый щит и новый меч Вооруженные Силы России и США.doc
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Ракетно-ядерная рулетка.doc
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Ракетно-ядерная рулетка.doc
Resource
win10v2004-20240709-en
General
-
Target
Нападение на американские космические системы очень д.scr
-
Size
386KB
-
MD5
6da437dcce6eaa6b39aedf008142e1d3
-
SHA1
4114f56826c1d531a8bbffd2d8831d312be6376e
-
SHA256
9e2c7a431cfb2d446f22e6f45f5344e861bebfad767bbf297b64802f8c17f815
-
SHA512
67454df95816b1be875ad8d26d0d484c028d4f0438c2d5d28a04edd3be71bcde672a5d1c2945797b5f8325e1e96ef87ab70e952954512598482e51f4c9a55eb3
-
SSDEEP
6144:otjWxbczG4XMoxnBLFIRTwLhmJpEVxdg0L9JbAnj3wzaAvPaejiA6:oRWNcr8oxn8Urxdg495CjTeSz
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityve.dll" RasTls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Нападение на американские космические системы очень д.scr Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation fa.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 fa.exe 3524 RasTls.exe -
Loads dropped DLL 2 IoCs
pid Process 3524 RasTls.exe 3932 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Sycmentec.config RasTls.exe File opened for modification C:\Windows\SysWOW64\Sycmentec.config RasTls.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityve.dll RasTls.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system\CERTAPL.DLL RasTls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings Нападение на американские космические системы очень д.scr -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1420 WINWORD.EXE 1420 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE 1420 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4340 wrote to memory of 1420 4340 Нападение на американские космические системы очень д.scr 80 PID 4340 wrote to memory of 1420 4340 Нападение на американские космические системы очень д.scr 80 PID 4340 wrote to memory of 2544 4340 Нападение на американские космические системы очень д.scr 86 PID 4340 wrote to memory of 2544 4340 Нападение на американские космические системы очень д.scr 86 PID 4340 wrote to memory of 2544 4340 Нападение на американские космические системы очень д.scr 86 PID 2544 wrote to memory of 3524 2544 fa.exe 87 PID 2544 wrote to memory of 3524 2544 fa.exe 87 PID 2544 wrote to memory of 3524 2544 fa.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr"C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe"3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:3524
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e1e97cb3e26e55d8ca6f19a1c3d39aaf
SHA137464be30a64fa3c28f7617d8411ff202e3d14cd
SHA256d0c2969339d47e1ff25722d19f18cb3af48286de344a1285438200e7701fd9ff
SHA512fa9bbc142e206535906ec295acd89e577a06903cc7909dc7e3dfd6b47bac3b692bd23916416149442ee1aaec715ee58a22761f9077e156156f8692a29b1b47f1
-
Filesize
287KB
MD5002b2f7e48edf64d63a0341cc8360732
SHA111898d59a788babe573622ab674b1af35209eb3d
SHA25664fea780db9da58aefae1d9957f1395a3c95124cb25146579a2f054deb7bbfaa
SHA512951f1bfe51af122422e41ef18ea9efbaeade8d11322a553b33a3a2567ac6a18eddc222a78d2d78d283217e7ebdc2d1012aed1fde2cd9b5858951dd4afcb7b6c0
-
Filesize
5KB
MD551c90f69491ba5baa5ebf7c6a36aa17b
SHA1b31c84a648102e30aef25d8a74b8acac89578d4c
SHA256af494820388f93ee4b7b0eaa28e665bf8e1836f916d9b74df8b14aa02bce5f8b
SHA51235f581640467e1bbabc7b27f71f70bc90e9e43d6a52c4e7a77bf74e615bd5d9dda06996ca7809d90d5d6a736f9edaa2419cba7b5a438b313c39dcb6609f751bc
-
Filesize
105KB
MD562944e26b36b1dcace429ae26ba66164
SHA12616da1697f7c764ee7fb558887a6a3279861fac
SHA256f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68
SHA512e3c366044ac0b4df834b2f05d900cad01bc55b39028984ed3486aa2522e8c226bf9a81952da2c7e4bf0bc2c322d10fe58329e787238bb710a137827927b48d7c
-
Filesize
57KB
MD5ada9d0006b5b3d1d3f4cdea0c9d12d0d
SHA14e3c575c7a281917ca66d5a07a641f21573cc7b3
SHA25679c3114d85932d77d4640a7cbe87cceec1e7f3bd3105c140cb708bfd5d330d4d
SHA51239bcd4100d5b453d30beacee7ae1b7ffc653cc6c4d1ec8746095129f05a6f5fabd49e85c218cebe9bbee041c795349d6a5a17d7d9918d9423d132fc2954d970c
-
Filesize
122B
MD50f6be30587d0d0fa5b43b6c44648b2a4
SHA17841e2a6691d9a6f5d3aa6a73e3963cc819e9147
SHA2563d8338dfd2770bba4a6cce7a770a7e32c51fadcc3ad766f9551c564e1920cd0d
SHA5127ac03cdf3c1bb3810ab8c18d9c7d71d356aca54b620f53e9474267dab9e82f799e0a1c2ff3ef840c143a74e8fc0c4274fe29802e34c1c34eb31e714942deea81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD545199eb3043fb7065d953814de797e4e
SHA1e446f24da1e3c05d211e864137822646084e794d
SHA256451a385a63a098e60b7ba8a52af0f78789969166e86ffc51197f42a7f252f606
SHA512396a9458a480f193bf08718337eada013860f908ef4773f365acf753bc6fcfd8136c6b1d344e9bdd88625e50da80863ddadafbe38742d2554e5617a79cbe76df
-
Filesize
5KB
MD5d7538b63bb490bc42102b904c399fd13
SHA1abedfb74af2b67a59c4a8d28b3aedcbf493a1d73
SHA256703df1768f95b69d6414ad35d078969c53a782d84659a153ff27d320c4c59fb6
SHA512971f1e90e916e22f7a78d64c6b206b9d64d72d7ec789b85f1874ffa9ece2c8abb2fbcafadb13c301c0eeccdceb8565159b79b9eb3373b6ffb69d4b6a872c5598