Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Part numbe... 6.xls

windows7-x64

8

Part numbe... 6.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2023, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Part number 91875-11400 x 6.xls

  • Size

    416KB

  • MD5

    66bd2064e933a06c4af53c4347c8de9e

  • SHA1

    f8d79bb57a9d26cc95c7401f6ca962cdf59a0034

  • SHA256

    1eb2d10deb038b86eaaadece40a705184b6f8ed3a24cb1f0804a1e556923e45c

  • SHA512

    021dd1fe5592efbfd3c8d772bbcc33be0535ca5e9425a86c575e39fa6f307da25c2ad6c30c413e3a604fef2592a3ef5ca37dd752c43f45f68ed78b9199654d27

  • SSDEEP

    12288:JFesxot3VtvejSD/WtH3JYqFxM8Am+ROYJUK:JFes2XwWD/WhZYkrA1OYi

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Abuses OpenXML format to download file from external location
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Part number 91875-11400 x 6.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1248
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1772
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\processer.vbs"
        2⤵
          PID:1520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1DB590E1-3906-4BAF-B533-E70052D44D75}.FSD
        Filesize

        128KB

        MD5

        852318b62115cfb0a93efa8c70442c22

        SHA1

        5787f65757b312a356f229268437a74965efae12

        SHA256

        024a8690889461cb0f31a686ed65135fb03b2858048e688ffaa6ca2a591a3fb9

        SHA512

        827f4fb512a20e00266e4bcd9c17e1bdc4d389bdd8e1292a9c11f4e03853e80b8ff946d320fae65eae39921717cc1db966532ac209afb0ed2cec8c2a500d72f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        a93bde90b656ef9767876cbf086cbfc3

        SHA1

        235bb9029b465948f3edab3359ea93df5dcd3e13

        SHA256

        bd2e5ea1feddec485cabab316dd4031d568378f46bf6d1bd3f8f32f0fcb8073c

        SHA512

        7341c1c732f687041520b179f5d28bacd567ffebcfb5601c89675225e040d750e57bab8a2b05eb1bf9084b8159982618688a8f8721355a4a5e422e9b94e17717

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\ioi0ioi0ioioioo0IOIOI0IOoioi0ioii0IOIIOII0I0oioiioi0ioi0000##############00000000##############0000000[1].doc
        Filesize

        33KB

        MD5

        de3b51e37b7edd56b0ac9ccf49580ea5

        SHA1

        6daa943aa301b406e528584d42e4071e56c9fc7e

        SHA256

        12ca6fd65bdfb318cbfa0090317052ec53d70f67a9802a721cd361e090e4e33f

        SHA512

        090858e453de3032ce2143461a1ed6e9f307483a5dfaec0faa15328c577d87ba64a2a445de0e2030ea567a55e3a4093da03e86534896767ed9b34b82e305fa49

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49826173.doc
        Filesize

        33KB

        MD5

        de3b51e37b7edd56b0ac9ccf49580ea5

        SHA1

        6daa943aa301b406e528584d42e4071e56c9fc7e

        SHA256

        12ca6fd65bdfb318cbfa0090317052ec53d70f67a9802a721cd361e090e4e33f

        SHA512

        090858e453de3032ce2143461a1ed6e9f307483a5dfaec0faa15328c577d87ba64a2a445de0e2030ea567a55e3a4093da03e86534896767ed9b34b82e305fa49

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{B84E35CB-125A-4992-8E9B-8A1D79610C5C}
        Filesize

        128KB

        MD5

        08caeb5243dee8b84f5a02081c5ebed6

        SHA1

        e2642e64832f4a9438ab788bcff1db1efaea6875

        SHA256

        5604b0c3f35ba30e78acfec5e928d5ba5671d077380553c837b88ea23050c1cd

        SHA512

        5d8f3ab14163e79076b712a71c85b65116372a0c7331bd05b17fc610ba0a54754ebebfd31ddd023c560650b4fb2784ecc7df52b184030380858dac2c04ca6705

        Download Submit

      • C:\Users\Admin\AppData\Roaming\processer.vbs
        Filesize

        3KB

        MD5

        ccfc898a9a58be3f3a5d75c30841de07

        SHA1

        52ab9ae5d1f4a8a0796beb4c2bf055589c7a9cfc

        SHA256

        e867f8b902faf8bb06cb401701fd0a4b26fe5fc39324866d82b9b98a7877a7b8

        SHA512

        6c8c4fbbbc0e38f42be845557a43c5e3dfc5e7536f8c470f20ac79157dd53775362268402cd94114dcd373285ab815dd80463d915143cb45c89d082d37fae9aa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\processer.vbs
        Filesize

        3KB

        MD5

        ccfc898a9a58be3f3a5d75c30841de07

        SHA1

        52ab9ae5d1f4a8a0796beb4c2bf055589c7a9cfc

        SHA256

        e867f8b902faf8bb06cb401701fd0a4b26fe5fc39324866d82b9b98a7877a7b8

        SHA512

        6c8c4fbbbc0e38f42be845557a43c5e3dfc5e7536f8c470f20ac79157dd53775362268402cd94114dcd373285ab815dd80463d915143cb45c89d082d37fae9aa

        Download Submit

      • memory/1248-9-0x00000000024C0000-0x00000000024C2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1248-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1248-1-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1248-110-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2660-8-0x00000000036F0000-0x00000000036F2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2660-6-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2660-4-0x000000002F5E1000-0x000000002F5E2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2660-111-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

        Download