Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

3d7cfc88c7...cc.rtf

windows7-x64

6

3d7cfc88c7...cc.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    117s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d7cfc88c7d8d19c21f897a2c03801cc.rtf

  • Size

    50KB

  • MD5

    3d7cfc88c7d8d19c21f897a2c03801cc

  • SHA1

    e0a449a97361013e5976791a8f209f3d2f1d1823

  • SHA256

    fe7c9a2b809d7f5a0af5e0d8e8d62fafd2f922d9a24716de495a1398643b53a0

  • SHA512

    7d92aab8c721df48edae9d9ae6e5ade0a651c959ba05ad069a30684397c014ffff6f228fd70bed5e14609f066732584bed1c525a1e2456feed2e5f03c5e377be

  • SSDEEP

    768:uNuAL60V502HFUDmGIFmwFrKBqQA7bzmqhe6XQKOWM2xs/gSdlY:uNuS60V6BhIE8rKAQWzS6gKOWeIl

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3d7cfc88c7d8d19c21f897a2c03801cc.rtf"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
      "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 944
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 944
        3⤵
          PID:2136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\259435341.cvr
      Filesize

      872B

      MD5

      ec492975df14fdde97017437c336878f

      SHA1

      bb27876bbfc5263133e068b7f648fa7f22cee5f6

      SHA256

      7954a8282b88a73c11d42af7e54eb38200aaff23b4e4ed2c877dc207bd12a4b4

      SHA512

      a2b0560bd58effb43060598390933029771968df533a0fa1f2d487f2d2fcc8a26448650091782f813c0567b51b2b603c3b7275daf62460ce57bb99dfa95e7a97

      Download Submit

    • memory/1756-0-0x000000002F131000-0x000000002F132000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1756-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1756-2-0x000000007178D000-0x0000000071798000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1756-8-0x000000007178D000-0x0000000071798000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2136-7-0x0000000000960000-0x0000000000961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2136-9-0x0000000000960000-0x0000000000961000-memory.dmp

      Filesize

      4KB

      Download