Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf
Resource
win10v2004-20240508-en
General
-
Target
67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf
-
Size
35KB
-
MD5
56b4ddf6c247124f9bc633b06b169a84
-
SHA1
f6d0dfca950ccd1fcb92ed511afba92db7edc843
-
SHA256
67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0
-
SHA512
6b9e14c704e944b576091f0339e874ed679eeb6d2eba55bb65826fa66d7cb0856d20e1a99cb3cb40599b1065586a138aacf64617490c1c7a237e67ed61b980a3
-
SSDEEP
384:hWpJrekkBQCwF1YiQwB622Kfc51AD1BMulQGcCAnYuw:hWvSQ3F1YiQwMZFsAulQQAw
Malware Config
Extracted
purecrypter
https://www1.militarydefensenow.com/Stay/Vdopcuygit.vdf
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Downloads MZ/PE file
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1988 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf"1⤵
- Modifies Internet Explorer settings
PID:2868 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2736
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:1988 -
C:\Users\Admin\AppData\Roaming\igcc.exe"C:\Users\Admin\AppData\Roaming\igcc.exe"2⤵PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5c1b9166a01053397ed7fa58fa42c5814
SHA1952dfd6d8cb4df52dc23676604c4e0d114ed2186
SHA2562e3a74ec7ebc133c3a69f33b1539f8b571c3080da3823ec2726f115215050eff
SHA512f62399e06b31309e79497a3db437aab9aa8235b00df0bd41300654c6ecce53476a56921a7b7508f517657ca04ac80881bd0cbee8b225095692005976029adaf1
-
Filesize
7KB
MD5e0354350b177887076f4c89567e0af8d
SHA1999fc3514c83f5b3bfaf899b656a194f7f60ed05
SHA256584c91693287a0d6c66f27a8c0f1841aad3368bc48b9d36b1088548f9f370032
SHA5125972d529569ad3aecd8a02de1b2150a3901e2fe09aa5223956d4fd9f77ec9acd308d938c5748b8e38b6090484d0ec6f288f2295f67a6fcc12b0dc770620600fd