Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

PO and Ord...n.docx

windows7-x64

7

PO and Ord...n.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2023, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO and Order specification.docx

  • Size

    175KB

  • MD5

    3c8033913e9981ba10cfd879eff50628

  • SHA1

    a9c83534e89ef972d2d253134dbfd4a83b88d21b

  • SHA256

    88410eb4e61b84fec94a16ca8182c7e8241f16cee114c066fe36540d6f63549c

  • SHA512

    b3a811657a4604236a49a984873c568087a3a30b35c7f8097be3932122dde70e77c0ee9768658f27a804969d17339bcf4fb0cd3f47af1adb17c681723f24fabf

  • SSDEEP

    3072:ZJ6Df0ZFivqx4ja1/WFKW6vh5KabwkiXEswvH2QMHSu1zgLI0HWf2pTyz8elCXT4:HWf0Ovqx4jm+KW6vvKUiXV2HxGS8gLIl

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO and Order specification.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AEA24AD8-ED2C-4E3F-9AC1-E98E659D518F}.FSD
      Filesize

      128KB

      MD5

      76fb964c54e785ef2a4d4a6bac6e5eab

      SHA1

      c4608d4d9ca1468bc1a3dd77e39130aa6852c3e3

      SHA256

      e86d4668552ee730b9db6f7e6f88d72bdde518f91b78d432fa6e68655cb06223

      SHA512

      036f71e0a2ef52375356383f30c6735737990e6b719387fe3d88b1b87b67462faf70e501cf761a78b91a9202d62bf893d2ca0932f95957e2f9678ebba7e91a63

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      3347ffb242d6ecc061bfff28ecece843

      SHA1

      3a884169f19c1e391ff812507b6b235b78eb47a8

      SHA256

      85edef53473cf908c86caaaed57b03d54f4b4c19d26690046ad792e8dc042c5a

      SHA512

      a8346c340e65eef50a12ef828c1852c508756bf1e9e48b34ecaf7bc7f82d5cb4ed22e7aceeb1c6a798094759aa6037b53244d77161861f4f2f47121f202c4873

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3E75E2F3-8C98-4BFC-8914-61A6B506EED0}.FSD
      Filesize

      128KB

      MD5

      b3b7d8ed1fd6723da2c224465c6a8c3e

      SHA1

      97e89d5adc21a374040427fcae79e8935b9818a1

      SHA256

      95356490633e1ba858d8cbcd35ea041d75241077b30d53d0dd11e7c7ef1c90f4

      SHA512

      183bddf19940189d27a655b2716aa9e542172116c227f5b56210ee3aa982533594cc3d7476e5b9841e1ac4d1893e8e8dbcb8ce7f6fe1e2e77998eccd5db3ea41

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{90E2C4E3-DCFF-459C-A511-4FED84193DD4}
      Filesize

      128KB

      MD5

      55911169c3fd9af2438107204b2693bf

      SHA1

      c95355ab9f9b8607d708481dfed78c1d3bc98725

      SHA256

      0a240479e55d29ba863215089258cf1d0f80b6bf52380082135012b0ba1f73c9

      SHA512

      3a6ed51303b7d0251d00569bef35d387a14cf20d8e62f60f3af2327c09eaec7382bb07524a8f45aa04ea608abb7ae5622d4c2bc87a54074fd807d01f8cc64242

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      5240c1504347684d013011a7391bbc50

      SHA1

      11b0acd830b9609587845e54fbde7d1c53a6a13b

      SHA256

      09cfe8c828e0b4125b727e1f1c89e92c692fa8e625f639ab1150f082a233ba94

      SHA512

      9e1ee5f7e5938c773a3cbd65bee439096de81d32fc93ab22e3bbbb7295ec7c02162ac9ff1f1adfc6c7078c53a2872c8903936aed6d997435520cc9f385fa7d91

      Download Submit

    • memory/2212-0-0x000000002F9A1000-0x000000002F9A2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2212-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2212-2-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2212-5-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2212-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2212-113-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

      Download