Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 01:42

General

  • Target

    67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf

  • Size

    35KB

  • MD5

    56b4ddf6c247124f9bc633b06b169a84

  • SHA1

    f6d0dfca950ccd1fcb92ed511afba92db7edc843

  • SHA256

    67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0

  • SHA512

    6b9e14c704e944b576091f0339e874ed679eeb6d2eba55bb65826fa66d7cb0856d20e1a99cb3cb40599b1065586a138aacf64617490c1c7a237e67ed61b980a3

  • SSDEEP

    384:hWpJrekkBQCwF1YiQwB622Kfc51AD1BMulQGcCAnYuw:hWvSQ3F1YiQwMZFsAulQQAw

Malware Config

Extracted

Family

purecrypter

C2

https://www1.militarydefensenow.com/Stay/Vdopcuygit.vdf

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Downloads MZ/PE file
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf"
    1⤵
    • Modifies Internet Explorer settings
    PID:2868
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2736
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      PID:1988
      • C:\Users\Admin\AppData\Roaming\igcc.exe
        "C:\Users\Admin\AppData\Roaming\igcc.exe"
        2⤵
          PID:2516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        c1b9166a01053397ed7fa58fa42c5814

        SHA1

        952dfd6d8cb4df52dc23676604c4e0d114ed2186

        SHA256

        2e3a74ec7ebc133c3a69f33b1539f8b571c3080da3823ec2726f115215050eff

        SHA512

        f62399e06b31309e79497a3db437aab9aa8235b00df0bd41300654c6ecce53476a56921a7b7508f517657ca04ac80881bd0cbee8b225095692005976029adaf1

      • C:\Users\Admin\AppData\Roaming\igcc.exe

        Filesize

        7KB

        MD5

        e0354350b177887076f4c89567e0af8d

        SHA1

        999fc3514c83f5b3bfaf899b656a194f7f60ed05

        SHA256

        584c91693287a0d6c66f27a8c0f1841aad3368bc48b9d36b1088548f9f370032

        SHA512

        5972d529569ad3aecd8a02de1b2150a3901e2fe09aa5223956d4fd9f77ec9acd308d938c5748b8e38b6090484d0ec6f288f2295f67a6fcc12b0dc770620600fd

      • memory/2516-15-0x0000000001330000-0x0000000001338000-memory.dmp

        Filesize

        32KB

      • memory/2868-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

        Filesize

        4KB

      • memory/2868-2-0x000000007126D000-0x0000000071278000-memory.dmp

        Filesize

        44KB

      • memory/2868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2868-22-0x000000007126D000-0x0000000071278000-memory.dmp

        Filesize

        44KB

      • memory/2868-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB