Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a.rtf
Resource
win10v2004-20240709-en
General
-
Target
9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a.rtf
-
Size
7KB
-
MD5
d0d1fba6bb7be933889ace0d6955a1d7
-
SHA1
97b1bf8f984ce9c17e48473409b9670741260ed5
-
SHA256
9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a
-
SHA512
d9bfcffbdfc91f11b32aa09d0e013b4a7a84d383b66c062d3f139b02de03dff9dd03fb29c8f2c27156aa7ff43bd3af60dcb2233bbb3132891f731030b383f9f9
-
SSDEEP
192:j7j4rIbadfwQkkS3KiZ6pL9lDOVMNcKYb4+r/ewc2:j7jqJqa+vc4ewc2
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2596 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3008 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3008 WINWORD.EXE 3008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2516 3008 WINWORD.EXE 32 PID 3008 wrote to memory of 2516 3008 WINWORD.EXE 32 PID 3008 wrote to memory of 2516 3008 WINWORD.EXE 32 PID 3008 wrote to memory of 2516 3008 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9ce32ce5e2b70fec7f749e7868d89a4e3e739fed9c75cd6c4ec6eafde4c3711a.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2516
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6052c0bfdf729defcda65dc60b96a09
SHA19e28f321bb7fe666c6287ee54aba88341c5dc65a
SHA25657bde8872e0e4c3db91e52fd0b3ec4e295f6b2b524e796c56e489fbddc61074c
SHA512a8a36f0cf7b00d9670d4703e4036f079df4b6f7f82aae1c8ab5b192b051c3df35e938e47e0bfacf9fae5b803e100b79b64a3584fbb80c49e61c9dd2693cb80c9
-
Filesize
19KB
MD5666c7d98f1ad7d532036334a17aec96c
SHA1e85f1566aeff7d991752f827ac07219815f576c2
SHA2568647d2c8e6ec71bf4650fb5be697d6d78685d16bbde630db8f64c3007d4e4061
SHA5121a34aee1e5640deb779aa3378f02855956036f8688ce621da0cae49cc01e7581a3e25baed4d7d1caf2347244a7ba51bb9459cf9c1c9bd414f49aa3540a6bc6ef