Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2023, 14:27

General

  • Target

    بررسی شبکه های سنسوری بیسیم در مخابرات/Powerpoint/بررسی شبک�.pps

  • Size

    5.8MB

  • MD5

    024143d90f67bc5e2fc627337b9eaa01

  • SHA1

    fe838ef8c8e16195b2da50162a2b1a53453a2a9e

  • SHA256

    9758f72d461cbb0bb86306bdc378c3fca34ae5cf9430acbecc83809ef438d052

  • SHA512

    a6f88a107c908846f7d26b0127e8b3fcf75b7d29d24f639b179463dfd634e094b5190373ddf2dc7ac3edc22de3ac29eaed091c7a5c1421268998f4324ec6b782

  • SSDEEP

    98304:y1Y0FetZnnqakFWVjA6PvxIHD8z9CYXqvnHvlDpm8ObJ3OLq08tp0:oYket5kF6jAkxIj8z9CGSHdqbJ3eq08E

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\بررسی شبکه های سنسوری بیسیم در مخابرات\Powerpoint\بررسی شبک�.pps"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2284
      • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
        "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 856
        2⤵
        • Process spawned suspicious child process
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\dwwin.exe
          C:\Windows\system32\dwwin.exe -x -s 856
          3⤵
            PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\259432299.cvr

        Filesize

        628B

        MD5

        5f9b98053c9b7a80fd650ee453ade775

        SHA1

        66a8e3e9dd3058250c6247a326ccafeea2cddfec

        SHA256

        3d2a69f24bc45709ec8157f1a440404ae5d1e26f2faca467477b1eff6ffc74a2

        SHA512

        20bf03c7c9b937ab547be3a492b101e1cb2b2f49f6dd6fc83f3e88efe2c79165d09256eefdf63c0e9606ce2bc8c8c5f847fb1be1bae099b02d7901aa2023fbac

      • memory/1692-0-0x000000002DAC1000-0x000000002DAC2000-memory.dmp

        Filesize

        4KB

      • memory/1692-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/1692-2-0x000000007232D000-0x0000000072338000-memory.dmp

        Filesize

        44KB

      • memory/1692-4-0x00000000059E0000-0x00000000059F0000-memory.dmp

        Filesize

        64KB

      • memory/1692-11-0x000000007232D000-0x0000000072338000-memory.dmp

        Filesize

        44KB

      • memory/2612-10-0x0000000000200000-0x0000000000201000-memory.dmp

        Filesize

        4KB