Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
Resource
win10v2004-20240709-en
General
-
Target
985d6ab0e9e57850cf7ed9f331ae36a0N.exe
-
Size
539KB
-
MD5
985d6ab0e9e57850cf7ed9f331ae36a0
-
SHA1
9dcbb36de4f8a99a7ffca73240dedea6ee33fac9
-
SHA256
612daa13770e7ca0f61b173c4a2c9790f7cd8b109bb886f80cb257dfce623451
-
SHA512
803fe1087e1dae4aa4919f3cf7d8f14e69c2d8fb9210600f98151d3a6ccf866bcc459eb8d33ff8922dfa78ca63d89aaf0ca5c1bc23735b4fc518d61e6845e4a9
-
SSDEEP
6144:NYkLWCTxDrF98Oh8P7AEL8IhoM8InI5SQ8R5NTope6S2DtL9xG9QTKhDxfWqr6z1:NYIW0p98Oh8P7h8EJQ8z8eDe9mJxfWZT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation B19D.tmp -
Executes dropped EXE 1 IoCs
pid Process 4856 B19D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings B19D.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2128 WINWORD.EXE 2128 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4856 B19D.tmp -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3224 wrote to memory of 4856 3224 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 84 PID 3224 wrote to memory of 4856 3224 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 84 PID 3224 wrote to memory of 4856 3224 985d6ab0e9e57850cf7ed9f331ae36a0N.exe 84 PID 4856 wrote to memory of 2128 4856 B19D.tmp 89 PID 4856 wrote to memory of 2128 4856 B19D.tmp 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\B19D.tmp"C:\Users\Admin\AppData\Local\Temp\B19D.tmp" --pingC:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.exe 4031897548124C37EAC00222EF4AE7A3692A143FE596D069FD5C3C37D2652B8A6A7368E0566E5728E73D5CA96C9D7041CDD01A841512316B56C4D030F48741ED2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985d6ab0e9e57850cf7ed9f331ae36a0N.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
539KB
MD5ac21222031575c6e9fd7e983acb6b3ed
SHA1618c18ad2624d8db2682be4880f6724086473928
SHA2561bb941d7d39734d516ab9962d5480e23be2e97b8d71aaec5ce3394ccdaf19af0
SHA51250ce02bbb40e401c040b75732c079101d013b673e700ee78b7454743756abafbdf59852b4faad59a598229beeacfc525f1ba2cef373a2eb19caf349f33041c0d