Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/04/2023, 15:04

230425-sfwdtacg8x 1

25/04/2023, 14:56

230425-sa76esah89 4

25/04/2023, 14:53

230425-r9k99sah77 1

25/04/2023, 14:49

230425-r67zvscg4s 6

25/04/2023, 14:42

230425-r28qlaah48 5

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2023, 14:53

General

  • Target

    NoEscape.zip

  • Size

    616KB

  • MD5

    ef4fdf65fc90bfda8d1d2ae6d20aff60

  • SHA1

    9431227836440c78f12bfb2cb3247d59f4d4640b

  • SHA256

    47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

  • SHA512

    6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

  • SSDEEP

    12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score
1/10

Malware Config

Signatures

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 7 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
    1⤵
      PID:1192
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1236
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2036
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1360
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:696
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1516
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:596
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\ExitSend.dotm"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1116
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1172
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
        2⤵
          PID:1856
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1488
        • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
          "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
          1⤵
            PID:1660
            • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
              "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
              2⤵
                PID:832
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
              1⤵
                PID:1564
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                1⤵
                  PID:596

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1303DE31-E38A-11ED-B6C0-4E1AE6AC1D45}.dat

                  Filesize

                  5KB

                  MD5

                  4fd06d664fb665baee3325a6ea818c84

                  SHA1

                  3926413b7ede26772959b901eeb460a03d68f640

                  SHA256

                  7ebca32d7327004a49109657efef805fe7235983bc788285c2de502a928f6c47

                  SHA512

                  09696156e391ed622d4fc76b9c99b012e61a642376a804f420c7f5fd0c71dd95ab05d88876eed74b7ca1fe50e9ac374ab9bdb132b3b120d35228687e96e57277

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

                  Filesize

                  36KB

                  MD5

                  7d65126bf9e06c205c2584531b5c5481

                  SHA1

                  228986e4fcf978bf0663cd63e7b4ecb75cf884b4

                  SHA256

                  906e7ffacf153ffe5865e9fb81873211832d9d3ac951e50ed96373f68fe34e8a

                  SHA512

                  de76e7727da5911d10d72ba1edd0d88e5656772da2210ec1b2e934bbc4b8b3335392844c41d1cc742e67147d8126641c20d9ccca8c6f5d381364570864192751

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Filesize

                  55B

                  MD5

                  b04fd3884038b13390e7a065db5af8e8

                  SHA1

                  77766abc66b4466c2bbbf7c95ffce8e88888cb2a

                  SHA256

                  dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650

                  SHA512

                  a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

                  Filesize

                  20KB

                  MD5

                  a1b4bd4a26ea4e2b28af988487dd5a32

                  SHA1

                  205bea47a195a4a5d7b1e64aa6b0ff1097519f24

                  SHA256

                  bdfde5c4d185a462596c94f4b469858956a4e4db56cb54f50e3219a935949cdf

                  SHA512

                  c5f4c7fcc69a44860aef459ef102d0252b83031cee891f9e437212424171e899ed5f468b6a428f06eac333945d3494646127c72c3d895375d16d49e36c02fef3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

                  Filesize

                  20KB

                  MD5

                  a1b4bd4a26ea4e2b28af988487dd5a32

                  SHA1

                  205bea47a195a4a5d7b1e64aa6b0ff1097519f24

                  SHA256

                  bdfde5c4d185a462596c94f4b469858956a4e4db56cb54f50e3219a935949cdf

                  SHA512

                  c5f4c7fcc69a44860aef459ef102d0252b83031cee891f9e437212424171e899ed5f468b6a428f06eac333945d3494646127c72c3d895375d16d49e36c02fef3

                • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                • memory/596-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                • memory/2036-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB