Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

P0_886544GH.docx

windows7-x64

8

P0_886544GH.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2023, 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P0_886544GH.docx

  • Size

    35KB

  • MD5

    c06d445343ffca318c836a2854e0e81f

  • SHA1

    2b1115a3ce795f76d496c9c9dad75a15746c57b6

  • SHA256

    83772f2266a95d70e3546525afd3eb6df260045d8ea6eb40c275df4f983a1a52

  • SHA512

    a9eaf3c93bc1838372abc19894049efe24575503712c2fe565058461bc3f8d8ea91422523901cb513b06c59772f377b1d3ff380e157752dee275f98596a231ee

  • SSDEEP

    768:OIqC5f4ZsQlFVA+tIgglgUSYC4O6ZsfiA6O368R0PgoyfiAq4O6cfiAZD4O63nO:OhS07ltIR1C4QK8d0PsKb4+K+D4U

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Abuses OpenXML format to download file from external location
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\P0_886544GH.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2868
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      PID:1916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A6687E5-B2E3-4FDC-BFB1-E209BA4B5C2C}.FSD
      Filesize

      128KB

      MD5

      55cdc447575d0d32daded8f53a3a46c5

      SHA1

      7ff1c95fdde434c7b9adeb1e749da178f7c90a3a

      SHA256

      89bc356a1433552cf4f97f9f24413e867d679bddb61a7fa0e6bf21db8f6d7ac5

      SHA512

      2ac4f68fddb98cbb931edcc62facc2d628f8d34a6507bee43f3bed04d82ffaccc764225e529867d960112710a5273adfb430b6422d2cec6ccc3d705ba57a126b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      a6eaaba9bb69f04cb52a82eebcaae4a1

      SHA1

      c6986a1e64dd60a1c7ba11d39f5d7e2cd51a315d

      SHA256

      2f4c46ff3d7a66e53ad501d1e83a473752be9c8411a47b7570dbbf9cb438490c

      SHA512

      e9df7e7e8a419a2c2877a05742edf9f742aa47537c93bf22f2474ad3efd93f6cd91059c750099339cf98cea1ca3e3cd1405b35443ad80d1e188116c9c2591e6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{43A1EF2E-C17A-41AF-B95A-52D8D2CFAF32}.FSD
      Filesize

      128KB

      MD5

      e173eb73be6dff8849007052c1849d50

      SHA1

      69d32029e0021df8edbdca7e0a16da54fd58a63c

      SHA256

      9b08dcc28a704cc94066e72a039d7369bb39fb7ab3d06120d0e71d7ac478de2d

      SHA512

      8c7a3ac5f5925971a206def9a836d93dfddafb2854ff9d40d01222004ef1074186d36643b2c403983ae063a4266a5ebb03630bfafceb2af9f244e4dcf3b6420c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\186K4QOS\9O0O0OO0O0o0o0o00o0O0O00O0O00o0o00000000000000##############000000##############00000[1].doc
      Filesize

      26KB

      MD5

      2da63ee990c645c170ef75e4dde91a40

      SHA1

      3702370205d1dfb5792e69c99156499a616cd86f

      SHA256

      5e81a8e2019a95c8ca2101c04991023b4c85bd5b6f4bea3998743d9bda564e84

      SHA512

      10a2651e6a55f2054084914db404edee3cfee5f2b3964ebdd0b57f5f046c95cf116bb6684a45dee43c264fcad8436461405867a70397acd8d7a2c2cb17178170

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{7E0BD708-4892-4D79-A1FB-21C560BE8BC9}
      Filesize

      128KB

      MD5

      ea405cb3855585b248daee1813d049aa

      SHA1

      ef6d87d025e81382e9d67ec50adf7489455be77f

      SHA256

      13454e0fa2c8044d03c04eb1adf21ab88bfd272d0ee831192062ca0d16e56fcc

      SHA512

      4419cc6a4b2eea0106d5cf69e3bab2ed90cac5b7173cfb7e4751394f733c95424c54ceea5166d2a92ac94eb4d7b744ce853f8cf66217e52cd27c6a289a5ed8e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      7230e3bcb180ede448e7f2fc1e335c75

      SHA1

      fdd84bb84c512fdb65d50e4b8b753662b39dde59

      SHA256

      d34537ebacfd8b55aaa9f4ceba2bf2b0e27ad70db47de50c1196c458b9759df9

      SHA512

      475e1da2add30e073c4dc92bac8af46c9bd111bd9b7076c9f4d84dd8964edf6d4de4bd99d71d8ca000acf406804fa3a1a86ae00b3af5ce9ff24b942ac82c4858

      Download Submit

    • memory/1148-0-0x000000002F250000-0x000000002F3AD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1148-2-0x00000000715AD000-0x00000000715B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1148-100-0x000000002F250000-0x000000002F3AD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1148-105-0x00000000715AD000-0x00000000715B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1148-127-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1148-128-0x00000000715AD000-0x00000000715B8000-memory.dmp

      Filesize

      44KB

      Download