Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 14:42

General

  • Target

    c8b8a5528bbbf36abccffbb089a693ac.exe

  • Size

    36KB

  • MD5

    c8b8a5528bbbf36abccffbb089a693ac

  • SHA1

    1d54bb441e8ff2627a0086dc11a16aa396404751

  • SHA256

    a219b211338a8586c5c0f89bcb6eaea6ed28cee1f76231dd163e66c299efc566

  • SHA512

    83f07e84c1eabf516620d1a2735f02101c974f73576686502ca11691d9f6790a0793f2d31d2e680154260d9a103619ccd41fed3d19366823e5c8a6fe1c389847

  • SSDEEP

    768:Tv+Kf/JQBLGxPP1v0OJUxzTdBtFHyZHzp0sYlPOMWT4kkC4IowGQ+e+8CKyxU0LV:Tv+Kf/JQBLGxPP1v0OJUxzTdBtFHyZHU

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8b8a5528bbbf36abccffbb089a693ac.exe
    "C:\Users\Admin\AppData\Local\Temp\c8b8a5528bbbf36abccffbb089a693ac.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c8b8a5528bbbf36abccffbb089a693ac.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\c8b8a5528bbbf36abccffbb089a693ac.rtf

      Filesize

      4KB

      MD5

      cce1ee2eca38ec5cca3a1dc883ca815e

      SHA1

      447b3209541feb29aef0e8150367f1e9d4777ed5

      SHA256

      d44903105c844b08ebe0822d97c64fb70e7da14fb327ae3a2cad4059d4e10d98

      SHA512

      514b4bce268ddc79696334fae0dc642a97c2582b80648c1ffcd347beed2c70789f7f690eab8c4ed1398492bd1d8edf3e46cff38e22340130fc52d76943583acd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      26a04b8ab28524d5da16265ac122ac53

      SHA1

      bdfe70ecb7bd2a15330073f092824d8a0b5150cb

      SHA256

      8e584c2f110a5a7cc9f6c45a5c31cc8fa84f27c117d38d33afaf141bb6e3b38e

      SHA512

      1cc937657e26300eefd5706fd4e59e4865ebc3e522d392c1c3865c69b3923324de26bb858c9165acfc4aa6b32aa7266f2851de2f03ca5169837687c26e2ddc81

    • memory/1032-2-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1032-0-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

    • memory/1032-3-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/3056-7-0x000000002FBC1000-0x000000002FBC2000-memory.dmp

      Filesize

      4KB

    • memory/3056-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3056-9-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

    • memory/3056-21-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

    • memory/3056-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB