Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
30/08/2023, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
MT103.rtf
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
MT103.rtf
Resource
win10v2004-20230703-en
General
-
Target
MT103.rtf
-
Size
2.7MB
-
MD5
0e94677f6640d3cda39138601e7dd82b
-
SHA1
ee39f7527ce696a2998b6312cf8807fc4a3f6ea3
-
SHA256
4fa32c417f3c773dac915a446b84d135130f548fd1c36626bea1d83dfa710523
-
SHA512
f6b2db33927975a7db3ef341b6abe7bd7053d1b950f0f3c3ab846bc40b39d26229d78503b7a6759511876ffc8753cb09b0b6e201e86eda7c70d88182878db85d
-
SSDEEP
24576:0csbD+4ybRtDAVrA5cYJKAK2hyin32lMO:S
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2752 A.X -
Loads dropped DLL 2 IoCs
pid Process 1192 cmd.exe 1192 cmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2828 EQNEDT32.EXE 1148 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1152 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1152 WINWORD.EXE 1152 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1152 WINWORD.EXE 1152 WINWORD.EXE 2872 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1192 2828 EQNEDT32.EXE 30 PID 2828 wrote to memory of 1192 2828 EQNEDT32.EXE 30 PID 2828 wrote to memory of 1192 2828 EQNEDT32.EXE 30 PID 2828 wrote to memory of 1192 2828 EQNEDT32.EXE 30 PID 1192 wrote to memory of 2752 1192 cmd.exe 33 PID 1192 wrote to memory of 2752 1192 cmd.exe 33 PID 1192 wrote to memory of 2752 1192 cmd.exe 33 PID 1192 wrote to memory of 2752 1192 cmd.exe 33 PID 1152 wrote to memory of 2412 1152 WINWORD.EXE 36 PID 1152 wrote to memory of 2412 1152 WINWORD.EXE 36 PID 1152 wrote to memory of 2412 1152 WINWORD.EXE 36 PID 1152 wrote to memory of 2412 1152 WINWORD.EXE 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MT103.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2872
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c %tmp%\A.X2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\A.XC:\Users\Admin\AppData\Local\Temp\A.X3⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:1148
-
C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding1⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5e36b6261e06d7383b8e5599ef5173f34
SHA1faae09ffc95a8276a09a16f1dcaaa4db9b4edd91
SHA25608666166b6f367e2832fa367749c0ee722aca082166650814e93c07cd624c574
SHA51224a77c12050af79026b2187c0ba7348ed927a437abfd72e7405051332491d72a992f7fce7de5990067f9bbb450392caf331e79889127584d1202fa315b947c12
-
Filesize
1KB
MD5472f8b56bf1beca321e01daf0b815f26
SHA1ef78df0487b046c700d6f1b7a8a586c90684ebaa
SHA2561dfb9e124862c25f5c77111f715a1381f9f278375a1365486ac4ebf0c0c55f48
SHA5120776711cf335f4c80eaa3cda0f7919e068777fe126b98359bf3d2cf0213edb74c5b34c8ffed68533d8fcb0edd960e64f19c74800126e50c11efcd7153914d250
-
Filesize
1KB
MD51e90722a40bf5ef1e724906c4937d36c
SHA12634a7ef4ef481cd8e53dfe8ea8d2de4f4096fc1
SHA256802da35963ba77e71c69cb5c668ed02430d8cb8a048cee34f307dfd096005c5f
SHA5120e008f340030d3ecb17ab52d015471cda742dfee3338eca7146cef3b6c046d965e675ad38888acc5c230310897960e78f7fb24887d102110c7d0a1b5ed5a9225
-
Filesize
1.2MB
MD5c814855148dcf1c6d780378dea621099
SHA1a59b62ae1280e25f48d1e576bdd63e6397f5d76c
SHA256f822a8f545d2d49584374fe2a28c2ff73806841005b6ac53d3763ff736e4ed7c
SHA512c249197ebd60427d25093e743074878b42f8bad3f3fc05e102fa3180300cf2739383bbcfcf98c6479dd49dd90096910b354264ba331b8c0f4cd9f6e3a73d3ccf
-
Filesize
1.2MB
MD5c814855148dcf1c6d780378dea621099
SHA1a59b62ae1280e25f48d1e576bdd63e6397f5d76c
SHA256f822a8f545d2d49584374fe2a28c2ff73806841005b6ac53d3763ff736e4ed7c
SHA512c249197ebd60427d25093e743074878b42f8bad3f3fc05e102fa3180300cf2739383bbcfcf98c6479dd49dd90096910b354264ba331b8c0f4cd9f6e3a73d3ccf
-
Filesize
20KB
MD52c2201099c571759b845212509632b48
SHA1f24ecf3721396c6216575d6d1794f566e97d9480
SHA25619276029aaa985be79753abf438a2479209a6e536a12168540732b28bd051e6e
SHA51287848d5c6c54ec88f439cbeb7264291f369063d058a8075875bf413f4d86868c297fec4bd17fa201ffd821bfb7284b8382a332151070b327981611c18f1357e3
-
Filesize
1.2MB
MD5c814855148dcf1c6d780378dea621099
SHA1a59b62ae1280e25f48d1e576bdd63e6397f5d76c
SHA256f822a8f545d2d49584374fe2a28c2ff73806841005b6ac53d3763ff736e4ed7c
SHA512c249197ebd60427d25093e743074878b42f8bad3f3fc05e102fa3180300cf2739383bbcfcf98c6479dd49dd90096910b354264ba331b8c0f4cd9f6e3a73d3ccf
-
Filesize
1.2MB
MD5c814855148dcf1c6d780378dea621099
SHA1a59b62ae1280e25f48d1e576bdd63e6397f5d76c
SHA256f822a8f545d2d49584374fe2a28c2ff73806841005b6ac53d3763ff736e4ed7c
SHA512c249197ebd60427d25093e743074878b42f8bad3f3fc05e102fa3180300cf2739383bbcfcf98c6479dd49dd90096910b354264ba331b8c0f4cd9f6e3a73d3ccf