Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/09/2024, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd.rtf
Resource
win10v2004-20240802-en
General
-
Target
e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd.rtf
-
Size
830KB
-
MD5
da0bf0c618afdcec9df34d437794e4c0
-
SHA1
f85223bf5b04d6eceb04baeee97825b060337dd5
-
SHA256
e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd
-
SHA512
d168bff7c385b5a1de789dc19ec3f54c4ea720fcb8612da3ae838b536262479147ecb7497facd507a342b9c9724edf3b29b1bc213b176b835887c85a1e369541
-
SSDEEP
6144:VwAYwAYwAYwAYwAtFt+VG0BNs1H4wP/2OJ0+Q8XxBR:BR
Malware Config
Extracted
nanocore
1.2.2.0
pnauco5.ddns.net:1664
cde38e58-d99c-4068-b775-59569bc2e8ce
-
activate_away_mode
true
-
backup_connection_host
pnauco5.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-07-03T06:48:27.569053036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1664
-
default_group
NEW
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cde38e58-d99c-4068-b775-59569bc2e8ce
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
pnauco5.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2316 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1392 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2636 wehdpcat93625.exe 1716 wehdpcat93625.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" wehdpcat93625.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wehdpcat93625.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2636 set thread context of 1716 2636 wehdpcat93625.exe 37 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe wehdpcat93625.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe wehdpcat93625.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wehdpcat93625.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wehdpcat93625.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2316 EQNEDT32.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe 1764 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1392 powershell.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe 1716 wehdpcat93625.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1716 wehdpcat93625.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 wehdpcat93625.exe Token: SeDebugPrivilege 1392 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1648 WINWORD.EXE 1648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2636 2316 EQNEDT32.EXE 33 PID 2316 wrote to memory of 2636 2316 EQNEDT32.EXE 33 PID 2316 wrote to memory of 2636 2316 EQNEDT32.EXE 33 PID 2316 wrote to memory of 2636 2316 EQNEDT32.EXE 33 PID 1648 wrote to memory of 2980 1648 WINWORD.EXE 35 PID 1648 wrote to memory of 2980 1648 WINWORD.EXE 35 PID 1648 wrote to memory of 2980 1648 WINWORD.EXE 35 PID 1648 wrote to memory of 2980 1648 WINWORD.EXE 35 PID 2636 wrote to memory of 1392 2636 wehdpcat93625.exe 36 PID 2636 wrote to memory of 1392 2636 wehdpcat93625.exe 36 PID 2636 wrote to memory of 1392 2636 wehdpcat93625.exe 36 PID 2636 wrote to memory of 1392 2636 wehdpcat93625.exe 36 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 2636 wrote to memory of 1716 2636 wehdpcat93625.exe 37 PID 1716 wrote to memory of 2020 1716 wehdpcat93625.exe 39 PID 1716 wrote to memory of 2020 1716 wehdpcat93625.exe 39 PID 1716 wrote to memory of 2020 1716 wehdpcat93625.exe 39 PID 1716 wrote to memory of 2020 1716 wehdpcat93625.exe 39 PID 1716 wrote to memory of 1764 1716 wehdpcat93625.exe 41 PID 1716 wrote to memory of 1764 1716 wehdpcat93625.exe 41 PID 1716 wrote to memory of 1764 1716 wehdpcat93625.exe 41 PID 1716 wrote to memory of 1764 1716 wehdpcat93625.exe 41
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2980
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\wehdpcat93625.exe"C:\Users\Admin\AppData\Roaming\wehdpcat93625.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wehdpcat93625.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Users\Admin\AppData\Roaming\wehdpcat93625.exe"C:\Users\Admin\AppData\Roaming\wehdpcat93625.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp315D.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp31BB.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1764
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57615ace31d4f031adbe9dcc0dbf9d79e
SHA10d98e20f1f3b5485c61a0857f1ea3b4e048b22c9
SHA256f7152a3f6ecea29cccec1906dd51a163ea60812546dff5843edffdfec7ff9aaf
SHA5126b86f5f08b9632a88dd1c954bf7d02207fa1fbed72807443f23e54e7b1ec0ec723ef93241b2445a40f6bcfb19e821c7e7dc33aac62d5ce1ee40a54fa4debd3b6
-
Filesize
1KB
MD54e71faa3a77029484cfaba423d96618f
SHA19c837d050bb43d69dc608af809c292e13bca4718
SHA256c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb
SHA5126d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0
-
Filesize
19KB
MD5621cc0523a08053341594773e39ec01a
SHA1a618204d39fdf8161c808daafa64e55eb23474dc
SHA256b1b1db50e8dd8421d32e4965ccde3c7a62942f255c2f3c554030fbcf83820bd0
SHA512d0c25972e0ba1b5865fbd4242346b8929b4cf4d14e2509a999b2646b3c0bfb915c31a96bb6daccba7242b3a900b971c9a2c82f73cd8c37d9911b96e523dd88ee
-
Filesize
629KB
MD5280baa14b25c23e63122a4028928dff0
SHA18070c5e450768312a50c64be6edc386b009bea77
SHA2564a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226
SHA51226b96a7b246c3abaa02a989ea1e90a9ede181133f8a1e1b9605b3812f1505527d4164e14c169c73773e5872881bfa512793cffb381110c4a3b4f160e307f0f6f