Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
84a9a63c183f9134714fedcb7fb5f5e0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
84a9a63c183f9134714fedcb7fb5f5e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
84a9a63c183f9134714fedcb7fb5f5e0N.exe
-
Size
654KB
-
MD5
84a9a63c183f9134714fedcb7fb5f5e0
-
SHA1
9039447af0b6cec72737aba31211deeb6f4543c7
-
SHA256
317f18f14e26eec4b17fd2f0b961aecc912c2172955ef75c7f30ecc1a22caef3
-
SHA512
b28ba798418dc2eeb70ad6f86d51776c33422f97d6dd336ecf2fba5e989d6d431209b226e24ee0d79f0eddc1feda64f1d939878027a21af475a5ef38e819cbb9
-
SSDEEP
12288:oYIW0p98Oh8P7h8GGsOvXSVqby69pezUapFc32TPu7he9gyCWTHb:EW298E8uGiXCqbZ2zRFc32TPu7he9gy5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 8B87.tmp -
Executes dropped EXE 1 IoCs
pid Process 864 8B87.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84a9a63c183f9134714fedcb7fb5f5e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8B87.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 864 8B87.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings 8B87.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3772 WINWORD.EXE 3772 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 864 8B87.tmp -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4760 wrote to memory of 864 4760 84a9a63c183f9134714fedcb7fb5f5e0N.exe 83 PID 4760 wrote to memory of 864 4760 84a9a63c183f9134714fedcb7fb5f5e0N.exe 83 PID 4760 wrote to memory of 864 4760 84a9a63c183f9134714fedcb7fb5f5e0N.exe 83 PID 864 wrote to memory of 3772 864 8B87.tmp 88 PID 864 wrote to memory of 3772 864 8B87.tmp 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe"C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\8B87.tmp"C:\Users\Admin\AppData\Local\Temp\8B87.tmp" --pingC:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.exe 9A789FEC1EB65576461AD78F7CD239ED00B7F90317A76DC851930B4A396BFDCEE50C80981C1145475D017D105A6605AA3228A180344196E3C9FD6E32CD6895642⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a9a63c183f9134714fedcb7fb5f5e0N.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
654KB
MD59518f9ac712f613dfd9a58c34063fc01
SHA1ed441619655bd8168e84d8e88cebc3e186bc11c5
SHA256372f28ad012ce5acb842f0a096d7e3b93882315208d121e11e65f08caab48188
SHA51247ab741c31e81548837e070d5ac78e7ecf5658818d0ad6592d7b3d50a6040872e1564694c52f2950b76efe86b12fb3b0d1464d28e5b3d6d572cd69713566c881