Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/03/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
007461614c1596b63a622bf79888b281.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
007461614c1596b63a622bf79888b281.doc
Resource
win10v2004-20230220-en
General
-
Target
007461614c1596b63a622bf79888b281.doc
-
Size
39KB
-
MD5
007461614c1596b63a622bf79888b281
-
SHA1
65eff70488fc4edd8a4344d4df57855f4300ca06
-
SHA256
f76413740ca7c268672e49cbed99efced2f6aff74bbf397013d1793e653a2178
-
SHA512
ba2510fe2a2c3d89695ac148581d0d96b4ac54927c6cb8fac495764a4b42b50fb14cb41e5a4dc0d0cb0bf64b81300a2bbff3f8b7dbd8a5d8852016581897603e
-
SSDEEP
768:pOD2DprZnFiC+MBx+HqqqqqeEq5Cau0e3QvWGe:pCiQtMgCCyVZ
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 624 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 624 WINWORD.EXE 624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 624 wrote to memory of 748 624 WINWORD.EXE 28 PID 624 wrote to memory of 748 624 WINWORD.EXE 28 PID 624 wrote to memory of 748 624 WINWORD.EXE 28 PID 624 wrote to memory of 748 624 WINWORD.EXE 28
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\007461614c1596b63a622bf79888b281.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51cd944f732ba650eb94bbe8bb6e092ad
SHA1ae34469d3e4fdff5af3f0c706c328c3cf77b007a
SHA2563b29531c888fb6e04c26bea52c2d04ad349bc11eae371f24b276ccb0db333970
SHA5122ddd4b4a60d6962bac836779afe8333081b0e106b49d7f86f00983c34bfc74d41aaad1bfeab39fe7a7abe730d645846825cd643d3908a57b51f42f58f4ec9402