Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

4

Static

static

1

70e9a5a639...18.rtf

windows7-x64

4

70e9a5a639...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70e9a5a639645b4f1efebc63377a6152_JaffaCakes118.rtf

  • Size

    8KB

  • MD5

    70e9a5a639645b4f1efebc63377a6152

  • SHA1

    cd6c681eecf5faf4d24fbd681e27d2bb22b35bb8

  • SHA256

    33e8ba9204ef77197e700f57e8e75b691ac4a354bf5dbc1e0112a7127916872f

  • SHA512

    86a69689974353344d4b352b737cfd3bc3f7ba64c373895a382ba191dbd33d256c0f71b2ae9cb0efe30c64f8b12de4b98109d56e166f59078712109c5cb82eda

  • SSDEEP

    96:uBbvxIWDOLCBTmhd8jw1JYNsSbcc+NjcXOVHj/Vfqe7Ag:2DxzBJCdGEJRHhh7jA4

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\70e9a5a639645b4f1efebc63377a6152_JaffaCakes118.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2604
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      PID:2096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      f0587385dbedf82e331e1696efd7946a

      SHA1

      c7f1f07660f49fe1134407ccd87930973720fb41

      SHA256

      08ab24d35c3cd9708a313d1e5e735cf6cd77aeb1e70743d8c6f21526ffb430e5

      SHA512

      b462d0c08d0cd279965a103126dc476f1e0e82bb4738a78fd9e9eaafa6d3c942f639dc7a7d89cc29c8d9c9dc5f5fd49e6538b6419f30ee00ca84ccf9c924a694

      Download Submit

    • memory/2748-0-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2748-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-2-0x00000000711BD000-0x00000000711C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2748-11-0x00000000711BD000-0x00000000711C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2748-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download