Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 05:20

General

  • Target

    2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls

  • Size

    973KB

  • MD5

    08d16f26dc58a3565b478a5ef975e844

  • SHA1

    c47387a591bb42c39a43f90e30ef26e8726d8ca4

  • SHA256

    060da027a490aacf135d894ecf1f158568af1257d4003716cd93d416fa8f508d

  • SHA512

    be279977d3f916fd06097f0ab8d66d9380f0358ba40841bbc8c1a0c441a32f8b81ea82c7138a7b25e8f91cecc6732ccaef984a0ea3a74efeb9fd1c2045bd70c3

  • SSDEEP

    12288:TEMdFhqCSBFbYJ3Kev5ZGbJMo4iP9HA8BuXvKBfFUl9v1RQ3l16WGZeo5iokzhVv:gMp+7YJ3KcQ5IiBurvHQVoWG0Pv

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
      "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 932
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 932
        3⤵
          PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\259394281.cvr

      Filesize

      524B

      MD5

      7fb9b4f50d0cc416f72d5bef17025e49

      SHA1

      ec64b90173fda99b7552d2cf3c51803500216e0c

      SHA256

      477707bf7f1eeb65c47b9a76a92b622f50cce464f790e8b55aa7126c1c2652a3

      SHA512

      65dd84e67548715d490f2222169beb118e963a56f12913472f7196e5505caab490c7ca76c2f0e4c62f9d4b4f5392cd3969d81eb5f6c250c7f8497b90a5a8e612

    • memory/2628-4-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

    • memory/3056-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3056-1-0x0000000072A3D000-0x0000000072A48000-memory.dmp

      Filesize

      44KB

    • memory/3056-5-0x0000000072A3D000-0x0000000072A48000-memory.dmp

      Filesize

      44KB