Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16/08/2023, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE-9730015.docx
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
INVOICE-9730015.docx
Resource
win10v2004-20230703-en
General
-
Target
INVOICE-9730015.docx
-
Size
11KB
-
MD5
86cf81e87b56f308ce6f4c88a1066415
-
SHA1
d690c7e0067766162a9bb085ab510be2836d2074
-
SHA256
3f64540878afa068e4bc7de3af3d3b48c0aa767e6e7ec94f9179b3cdd9768ac5
-
SHA512
9c72f7ce5503674e55cf133fee6c5d4dfd2e2619bc80f081394943ba509f43ac3918b7e69c5de78ba512323e567abbc25a1bca692865ce0fb3712c3d8bb96769
-
SSDEEP
192:9Eya0NRfX9i7jWoj4N5eNA2A+EnVs+mg1SoB8NJY6TO36PvUwKzQaUCaY9pFcWex:SyXRfkPWku5+A2bkBdBGJYuOqPqQc9zE
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2192 2296 wininit.exe 27 -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2920 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2912 ghostdh476528.exe 2120 ghostdh476528.exe -
Loads dropped DLL 2 IoCs
pid Process 2920 EQNEDT32.EXE 2192 wininit.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2912 set thread context of 2120 2912 ghostdh476528.exe 36 PID 2120 set thread context of 2296 2120 ghostdh476528.exe 27 PID 2120 set thread context of 2192 2120 ghostdh476528.exe 37 PID 2192 set thread context of 2296 2192 wininit.exe 27 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2920 EQNEDT32.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-1014134971-2480516131-292343513-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2296 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2120 ghostdh476528.exe 2120 ghostdh476528.exe 2120 ghostdh476528.exe 2120 ghostdh476528.exe 2192 wininit.exe 2192 wininit.exe 2192 wininit.exe 2192 wininit.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2120 ghostdh476528.exe 2296 WINWORD.EXE 2296 WINWORD.EXE 2192 wininit.exe 2192 wininit.exe 2192 wininit.exe 2192 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2120 ghostdh476528.exe Token: SeDebugPrivilege 2192 wininit.exe Token: SeShutdownPrivilege 2296 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2296 WINWORD.EXE 2296 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2912 2920 EQNEDT32.EXE 32 PID 2920 wrote to memory of 2912 2920 EQNEDT32.EXE 32 PID 2920 wrote to memory of 2912 2920 EQNEDT32.EXE 32 PID 2920 wrote to memory of 2912 2920 EQNEDT32.EXE 32 PID 2296 wrote to memory of 1832 2296 WINWORD.EXE 35 PID 2296 wrote to memory of 1832 2296 WINWORD.EXE 35 PID 2296 wrote to memory of 1832 2296 WINWORD.EXE 35 PID 2296 wrote to memory of 1832 2296 WINWORD.EXE 35 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2912 wrote to memory of 2120 2912 ghostdh476528.exe 36 PID 2296 wrote to memory of 2192 2296 WINWORD.EXE 37 PID 2296 wrote to memory of 2192 2296 WINWORD.EXE 37 PID 2296 wrote to memory of 2192 2296 WINWORD.EXE 37 PID 2296 wrote to memory of 2192 2296 WINWORD.EXE 37 PID 2192 wrote to memory of 280 2192 wininit.exe 38 PID 2192 wrote to memory of 280 2192 wininit.exe 38 PID 2192 wrote to memory of 280 2192 wininit.exe 38 PID 2192 wrote to memory of 280 2192 wininit.exe 38 PID 2192 wrote to memory of 280 2192 wininit.exe 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE-9730015.docx"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1832
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:280
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"C:\Users\Admin\AppData\Roaming\ghostdh476528.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AF869B27-F385-40EA-B318-C1B1F37F7320}.FSD
Filesize128KB
MD54c6b682b2d799914cd4eeaf3b1a6e736
SHA187cafcd56c83e59cc917969cf861ec564023dc60
SHA25617e8b884f9c776e54fa93763370fe94cc5b77b46d7fdf25d74c8d3fccf5a7f2b
SHA512c1e405d2d58be8e600df6746663cef8628cb9e5ed3cd491275fa6fd0296c5009b3ed79ae23e01d58e2acf6024210e5aae64c54d4f810e7e3b0ff4dbbc2f56ccf
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5d35cd6260df398f49fccdd9d0c97c470
SHA1b967e1b05c6e0d4035a2af78956ce657f39ae0a1
SHA256f4c7041916bfc4452007a6ba3b862d0c289463b6aa19c18484e15f74d25a2cc9
SHA512bbd0516f5fc777fd9b117c5fd0525ab0a44e6c2da5773a6a3ccd6055e6d5939623fbcd4bd450e8edae181b5617b5cee9b1f61c85f7793c75367d6a2bd25eceb3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{86A1E92E-36AD-42A4-9A9D-30F5B510C826}.FSD
Filesize128KB
MD5145f257cd19508a565693b2e916fe790
SHA13cd5eb57b41be3e442c4d4331ecd6a2b658c36af
SHA256fb5692ce5ac796ebde379088440fc3de5f7164f025ee0cbc969abbb966506834
SHA512830fb46a39ef56c7c1273331c2178c5080543571a23182a3f82e6015f22a1eb09ef3fe5268beaba05429c1698306fcd604cf1666d596f4218f91bc39653acd0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AJTUMOT\ghostzx[1].doc
Filesize92KB
MD5e6ec31abd924dd83e5829624c8400bfe
SHA102063a4750762b451c9c7b801858ca45fb26a4aa
SHA2568eb67d4db341e3c1a2494e6cd111add9599850f62f65818dfd9f8f45aa49d257
SHA512a25bf31d29e61a0ac04e28f9e2ea00f23914fe4a412fe70e413f66cb8305928266ba6f97e3a4c09fa074f028ee6ccf0f681e113fc185efe196d93c19bce22e74
-
Filesize
431KB
MD5fa9b7c190006303eecddffa019d0be06
SHA1a97cebc176b3daa453189f2c0b7cf2a5a70f9c92
SHA256dc7f8b3493543dc086cb43b66401893597f993408f18b437e5c8e8b5544db0bf
SHA5124c293ef052a14f7527aa42d451ba5f4cfdf7fb7203f583eda34ef24f4a2fd13975553c432a9354a0f8c1de924b0c29a819bd34c7aaa03b642372496a75be0532
-
Filesize
128KB
MD599b02272237d880936ff0f3fd9b5e43f
SHA1a0ebfb1a0e06d00ac226d5b6f571bceb2744ea3d
SHA256a1c2e0cb35e671ad043e635bd58cae1c6a4e2c3b54a618e53479b063ceee45b0
SHA5127f97bdc5eccd804bd106216d72f583e4dac23b1501be9a19283ec62e875e0dd05493a71b4a56163f65a3fa64310855d3e647b97d0b05612d2eb8d4b3a9cf60fe
-
Filesize
20KB
MD54a5cde52b12ca4729c246f2d2f032319
SHA125acbc40d981fc86996bdbab3c0ec7fc57ef4118
SHA2565be9343fcaa0ccf4c13acec89b0eb4f16b8ca80429680cd8e99e05955fe3fa26
SHA5120742f2cdeb6a25d5cabe44af8cd89f93c7b7212f24cb6db5ec5f7bf2751751b62054568e556cc3c5806758f0dfb927d9245e5d92ec246eeab938ddad115b866f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
675KB
MD5ec2cc8690bf6aa4e900fd060b7d2d823
SHA1da5385395718f40d9495fdc46b2849faa9716c9d
SHA256777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0
SHA512709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f
-
Filesize
675KB
MD5ec2cc8690bf6aa4e900fd060b7d2d823
SHA1da5385395718f40d9495fdc46b2849faa9716c9d
SHA256777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0
SHA512709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f
-
Filesize
675KB
MD5ec2cc8690bf6aa4e900fd060b7d2d823
SHA1da5385395718f40d9495fdc46b2849faa9716c9d
SHA256777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0
SHA512709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f
-
Filesize
675KB
MD5ec2cc8690bf6aa4e900fd060b7d2d823
SHA1da5385395718f40d9495fdc46b2849faa9716c9d
SHA256777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0
SHA512709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f
-
Filesize
825KB
MD500a91261929192a7facc32a9f330029a
SHA17df4ffdf48a6df0bac21a82d6db56aa11db470dc
SHA256c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f
SHA51218a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e
-
Filesize
675KB
MD5ec2cc8690bf6aa4e900fd060b7d2d823
SHA1da5385395718f40d9495fdc46b2849faa9716c9d
SHA256777cd370c931886c5ed614359520434363ba0c035c2fecfb3267d5c09e0dcea0
SHA512709fe7791d6c542bee2965a3db93449a3f4d523c88ed0fbcd01abf7fd0014f185f576735593ee21bc25001eff97321eb4c3b918bc5ce5e074e056fa7923d368f