Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 22:44

General

  • Target

    Open Records Request - Ortiz.msg

  • Size

    44KB

  • MD5

    c142fa724ad5557d4c72d2c3eb0515b9

  • SHA1

    afc6edb63151cd871c7891fc0c0798fb543d26b2

  • SHA256

    2c3abf658e4ad5a1225e9dd14ac20b789bc38dcd2095a5f941917aacd7e809bd

  • SHA512

    99dce3f6066339b8ada11bd74c7868eff304719fb3ea4d0067852a596d73caee9c6ec983fda8408d230fae0a8963984eae6f61beb4fe30d0d981f5e629821322

  • SSDEEP

    768:IpFTHgavnpP1Zkm66kRpR82/tCfk/NbvG4FO:GFjgyx1Z2hnzlCfk/N

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Open Records Request - Ortiz.msg"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\MB0R0R9A\publickey - ortiz@currentrevolt com - 0xB3952558.asc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\MB0R0R9A\publickey - ortiz@currentrevolt com - 0xB3952558.asc"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    230KB

    MD5

    afad710a25bfb1b1883078f2a9e69640

    SHA1

    617ecc6f28c9f89a48ada56b2bab98084820f37a

    SHA256

    22ad33bd98f91bab8957375decb1625a445962c3f6622b0786aa0760df6f1655

    SHA512

    ff45eeca69e0f84aa0b84294a4a6c0b98e92a24de49cc4bfce329d4ea8016b0ae13b649339d51a6b64442ae88e381b42cfa893caac5aa22a655549779db961ce

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    231KB

    MD5

    052be30fa5293e5afc177fdb44378d76

    SHA1

    f106f55e45023d27cf7f29fa8ade29211a343915

    SHA256

    01463a75de5b11441f9a001f45ba386d76fe153d956bb100346f207741246cd4

    SHA512

    4a81056b8152073eb0946ad6fd63e02f60a97ae6062ecf3d6e6daf2235d9988750aa28a5d5841173676c7eb1ee6a62380db4933fd71e0dc5e91895a983d59a41

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    240KB

    MD5

    f2e7b1aac5107574233975810921777f

    SHA1

    28e18a7b7aeb0b68f9f8c71ef9142597817ef611

    SHA256

    c536adc7f47c688d3db040abbb3a7c4dd0ab817c301800eafbfba4e5c33d91a7

    SHA512

    f8708268cf12c5d4babba8a673cb8ca91a6719788ae6060f10df009e72192ab0ece420c0b23aeaba89969c33d610dff9a455b9cb6841616e9f13802cfc1a9f09

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

    Filesize

    1KB

    MD5

    b4b7c43f7e78e36996eacdb3e7f6ec96

    SHA1

    dbcdb2b1c8cef702336e8e3acdd55bb44e58e828

    SHA256

    8417e94c63fa8ccad391f722b97148f38d523ae78056c31a68675d32445c6678

    SHA512

    31293a59bc69509644b0cccd7be34d0f03ceff124c6d6adff2417483adfd8cf5ef5eedc0a47a297fbbb80e9a0b36ebc7afe9014d24c4d02fd3723ebe511deef3

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\MB0R0R9A\publickey - ortiz@currentrevolt com - 0xB3952558.asc

    Filesize

    600B

    MD5

    00ae5f6c08281e88acb48f50fecad1c3

    SHA1

    7b2007805f37fed804f16d8e865401267d8ed7e9

    SHA256

    d792c7dd98bfb28470a66dd3cf4d6adb52131b77321827221c4cfc5a5c77ff65

    SHA512

    4fa9107bfae482e2a2133f3546d43682e7d6411fec0745a20bb4c585c415a33f47746c59461994e8b0fd9613dcd58cc659b08808a929568c1e3e85c56ab9f9c2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\MB0R0R9A\signature.asc

    Filesize

    258B

    MD5

    934d7fd123ec3f7450fe1b866a306549

    SHA1

    e75d4583defd63c15f9b00e4fb2983184447dcd2

    SHA256

    44a619d972f4ed752bf746dc9643a0b521775acb279e555ab3a3317bd99329af

    SHA512

    215ff258b8851ee7e8556d2cd9f5cee8f4c4e23ed5deeb78c804a7e903c297360e100a9885a513edfc9d395d14b475fe540ebfaa53c2508881bce649778bba1b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\MB0R0R9A\signature.asc:Zone.Identifier

    Filesize

    26B

    MD5

    fbccf14d504b7b2dbcb5a5bda75bd93b

    SHA1

    d59fc84cdd5217c6cf74785703655f78da6b582b

    SHA256

    eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

    SHA512

    aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

  • C:\Users\Admin\AppData\Local\Temp\{D2767434-5744-431E-A2A5-D83F09058E3D}.html

    Filesize

    6KB

    MD5

    adf3db405fe75820ba7ddc92dc3c54fb

    SHA1

    af664360e136fd5af829fd7f297eb493a2928d60

    SHA256

    4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

    SHA512

    69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    649fecbeeb9054785fdb0c9999b6c918

    SHA1

    7f4ace1c4e1d1d5a57a2098053f8649c84da108a

    SHA256

    81c0228b7163caac79e5907f349985af5e551b68cd8a4052a097712cf9ee6243

    SHA512

    a9011eacd0889b25e34b5b3c9317ad529fcd943511d4e962b6901edc09eb2b6c034c68061c5d337098b48f3e928b2f3b920654cfc9c7afdf6bb4bcd8871d85d1

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • memory/2436-1-0x00000000736CD000-0x00000000736D8000-memory.dmp

    Filesize

    44KB

  • memory/2436-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2436-196-0x00000000736CD000-0x00000000736D8000-memory.dmp

    Filesize

    44KB

  • memory/2436-210-0x000000000A570000-0x000000000A5C1000-memory.dmp

    Filesize

    324KB