Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Shipping d...s.docx

windows7-x64

8

Shipping d...s.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2023, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping documents.docx

  • Size

    10KB

  • MD5

    38bde1f71eff4a0b7d396fc4560b921a

  • SHA1

    b7c1e4fdfec691fc11832480cca239d567b5b22c

  • SHA256

    08d5e1d19cd6c2d1d0cd69b4573702bcbd7ebb97835a9d4769fb4dc12a564be1

  • SHA512

    a484e8020d8fd46575814230ffab6cdbc1f968e35a9b037176f05c7defaede4a4b31eeedcd94418a961dbd8ec99f488fc8f88bad8bc1e911290a55d6eafd5f7b

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOdVDl+CVWBXJC0c3Fe:SPXU/slT+LOdVHkZC94

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Shipping documents.docx"
      2⤵
      • Abuses OpenXML format to download file from external location
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:664
      • C:\Windows\SysWOW64\colorcpl.exe
        "C:\Windows\SysWOW64\colorcpl.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1152
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Users\Public\vbc.exe
            "C:\Users\Public\vbc.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1968

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{61604CA6-71AE-4687-A7F7-2F4FB98822F6}.FSD
        Filesize

        128KB

        MD5

        84570d66b46dd54990e1189f67f8fbff

        SHA1

        df86cf9e8b89195a4812c7de000602020af2c221

        SHA256

        31e9c153fec1ba8a1741c249a4205a6490e6b63975efa35a5b0302c91df13348

        SHA512

        55b5c4789e1b842ddf1d6d715649640bcdd5fdd1ca70887366314ec30590e4d653fd084782eb2dee19f339c5cc3bf1dddcc36a74a7231662fbe10fc29e295be5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        d9e2732adc9f07913cdda3e04fc0dfae

        SHA1

        37b3096d6c99afb2942359fe936266b93d0c2218

        SHA256

        81eb9059764eb5ac74809fdf0493f055ac52c266e3b62e0ec88119c8868ee077

        SHA512

        f66ef3e6a11d900b4167bb8d62c7c953c623fa5cdc2ca9605c30f2c0d10cd005da5d2e56caa2cb2834ea06456e155949eeacc8eab85be24cd022f7daa8e5b85b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        9f94f596e8de71a572fd5572bd621b44

        SHA1

        18411d6fbaa1ce6f7379e2e5581d6ec61200fa4b

        SHA256

        71c459f6f3827ab6ef8be2870d2542832e7b6dc3bf2a2e00d71dc236118ef8d3

        SHA512

        b5de14a44fbc81293c45b09be89d63647a3558016f090715b41b308f32ea0cbd1c1fbc825262bdaff3a8f14180bc54e947d8146fbe5ff5d5e9f66cd16fe009d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{CBB23EE5-6B2F-4EF3-8990-FE6F8CD90F90}.FSD
        Filesize

        128KB

        MD5

        f3022fe9a5e550bd36a0d6fdf614b974

        SHA1

        028687341941f51101931e24f2d58e9468261aa0

        SHA256

        4f31031ae20b44d2ba65438d832a11ed67db14f390c402b4cc1d99266d02977a

        SHA512

        4c069e8e03bb060b3b5b368a5b0a7daa6452f2ae8f7f7521dfa66245c9e5b3e689556292fbe17869d4558a9140fd277ed824ede9a52e74651d08704eab749028

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\nc[1].doc
        Filesize

        13KB

        MD5

        c20168bf518eb6c71c48331321a1dec3

        SHA1

        cd4e0a100336c0f915a591358f41c08a405ac3fe

        SHA256

        bcf4cec92fe9362106d55abfcb0a186f23607c8a28a7499183c9cd3f260de969

        SHA512

        08097fe409cd06ff7ec19f577632128383db128d62b577c6437083b7dc6939d134a92bdd8dad4d3c425247506e3f02947aa94f63ddcec0ecaa4df771833716de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qhjdbhv.zip
        Filesize

        465KB

        MD5

        9e480b43cbe052e9ab25a0b982132e4d

        SHA1

        511ed863e48b8755e43b093238b923339c1bf846

        SHA256

        d76c2b3b27f279cbaabaa2d53c93e4bb7f2d8336e5aff7c74d7a16a2dbfbfb1c

        SHA512

        92a2753d125fec5a77945a1724dd85d07fd672583666029e313903584cf8e872fae9f3bb1db00cb9cde747edd4e3e95c8ffc3aa2867ce9212504d557e2adc8fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{A205C821-7FBB-41DB-B2E7-C437846B5612}
        Filesize

        128KB

        MD5

        912f651f6e967c702e299b906fa20e2a

        SHA1

        c08bcc77fb9766704fa916a2623be38156a8cc29

        SHA256

        5507630c2a32cccdf78c3f4a6f0481f17171c4f4bb0c95f4de75baa6fb7a5f69

        SHA512

        eb2bf68a3f2bb008af9f077228f0442d24c0fec7d9456e4e6d645501d3a248959c10ce880a7c44812f40c789088deb107b6c996205880eef6e5dd83c6cfe4ad6

        Download Submit

      • C:\Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • C:\Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • C:\Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • C:\Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        890KB

        MD5

        8402a6aa76d7787ff03943dd129e3d83

        SHA1

        895338cb761d62930ca93918011fd2cd33d5b30c

        SHA256

        49ff99d5b24f4f7d5a8ea175f35a6548c74b04e5c621c60121b5088dab19b4eb

        SHA512

        39bbe90385be35492825929296aae771fb4afb00a1f6a48f0e4ec17bc1097c3a32cea3b22033116c82695e66acbd6c847483a8da21e7302240467b58e39169ea

        Download Submit

      • \Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • \Users\Public\vbc.exe
        Filesize

        878KB

        MD5

        818e534443d06e269fa8bb04fa647a05

        SHA1

        63754344896e4ad63da5c253d5a297666609878f

        SHA256

        a540f2c0107e8869fc412f78a52d058eb16b8d1b69bde2003767b475242ef7b5

        SHA512

        5eda0ef8bf6662f9415c218e67074a2e7c7ff04e695478ee62127c80036075d1625178de6748d99e5e18eee04aaf1ed152e3a352e8a97e555f829a976790bddd

        Download Submit

      • memory/1088-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1216-221-0x0000000061E00000-0x0000000061ECA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1216-174-0x0000000001E60000-0x0000000001EEF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1216-172-0x0000000002050000-0x0000000002353000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1216-171-0x0000000000080000-0x00000000000AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1216-170-0x0000000000200000-0x0000000000218000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1216-169-0x0000000000200000-0x0000000000218000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1240-168-0x0000000007110000-0x000000000721D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1240-173-0x0000000003920000-0x0000000003B20000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1240-222-0x0000000003E20000-0x0000000003ED2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1240-178-0x0000000003E20000-0x0000000003ED2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1876-156-0x00000000005A0000-0x00000000005AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1876-154-0x0000000004F00000-0x0000000004F40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1876-144-0x0000000000A90000-0x0000000000B72000-memory.dmp

        Filesize

        904KB

        Download

      • memory/1876-145-0x0000000004F00000-0x0000000004F40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1876-146-0x0000000000530000-0x0000000000546000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1876-158-0x00000000021C0000-0x00000000021F8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1876-157-0x0000000005C30000-0x0000000005CE0000-memory.dmp

        Filesize

        704KB

        Download

      • memory/1876-147-0x0000000004F00000-0x0000000004F40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1876-155-0x0000000004F00000-0x0000000004F40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1968-164-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1968-159-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1968-160-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1968-162-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1968-166-0x0000000000070000-0x0000000000080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1968-167-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1968-165-0x0000000000B80000-0x0000000000E83000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1968-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download