Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 19:01

General

  • Target

    974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    974b3f4d15efa34e473f00b267b356ad

  • SHA1

    b3bd2f8b2afa3dcf59af11852f72ea217470773e

  • SHA256

    4ac75a46b0893f4225cd7aeffa73fc9876277928900b4d4acaf5b6c0aa09dbcc

  • SHA512

    db53fc827ab948fdb74abc6d3ad63b8a0feb244f4615fd9a104c4458cfbf17295af88588f729e83dbb2dd8bba16b7d485154b84c58c8a34e3559f8f54b577329

  • SSDEEP

    1536:rterTkw9HnXPJguq73/IKB5Kby0gLIHrTPsyBK/dRYd0x+FTHeWkhIfcsew4smu:rvw9HXPJguq73/IKBWyeAdSd/TH0IUsT

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2300
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C78830CC-0915-4993-827B-0A48A3866C00}.FSD

      Filesize

      128KB

      MD5

      8fed2d7ef99e5e5ad8aaa978c553ee52

      SHA1

      208a27832a27ffca4d4b2eadb505a72f521dc507

      SHA256

      22e55a2cc45463bd24d9609e549b8d085d417ceb8751b8c92d9ee0081b80b42f

      SHA512

      07504ed908846030321c421806e6866e57d935f54f567a35b71270e6ec0334f145c7a39a39d1c1870054b979e9b0e6343091a6a6f7ff40dfa9407fa3f0aca656

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      2a8e505ec954a95b3331637f82e924b8

      SHA1

      908981db4411e55dcc9cfcc4e272240e4c5cb167

      SHA256

      014680edd5a2b13b7fd405fdfbfbf3aae80d357dc528935ee91413287c76febf

      SHA512

      b4501c958983e96f19e1e4a1ad08aa91bdca07108e68c263db7d8a768eb8a3306410c69b083d878ac70efd4814b1b0c385812f89d83df3430cf5eaf09cb29f6c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9C003E0C-BAA9-46C3-83E3-86A8FD30EAB7}.FSD

      Filesize

      128KB

      MD5

      829dd9ac26c3c1349c6e3deea497201d

      SHA1

      d20fd6ae7bc3fd9ffa02a3938300220a0bfb8d26

      SHA256

      7b0d75317a35f0d8eb34c099f08de898d955724962278ecc7d10cbce304decde

      SHA512

      c99a931a07d8ef5737a6225d893a91e7db901f0b0aaca252de7fde071b736e8881aa298e5afae0e41a07c6e177de6aabb1c949c450525bf708c7fc2f6246a55b

    • C:\Users\Admin\AppData\Local\Temp\{41E5475B-2DA7-4089-9B52-34C7D331C3C1}

      Filesize

      128KB

      MD5

      7a24f8d4a9947a3d70e2cbb026f423ea

      SHA1

      17555b84028ee25b5176b02ea37e1a1aebb4e7d9

      SHA256

      e90bb9a3c00793574bed1f8408126541ccf69e4866c12e36aa8400fba185c2e9

      SHA512

      c1fb0d4fe0303251c4549f4bada351bd4050a97c27405c5c5934cc0419a89bb95edced76595767944537aba4189aeafd2940dc6a9739701ba65d06ba021add30

    • memory/1688-0-0x000000002F791000-0x000000002F792000-memory.dmp

      Filesize

      4KB

    • memory/1688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1688-2-0x000000007115D000-0x0000000071168000-memory.dmp

      Filesize

      44KB

    • memory/1688-5-0x000000007115D000-0x0000000071168000-memory.dmp

      Filesize

      44KB

    • memory/1688-13-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-19-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-56-0x0000000007150000-0x0000000007250000-memory.dmp

      Filesize

      1024KB

    • memory/1688-57-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-55-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-53-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-52-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-51-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-50-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-49-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-48-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-47-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-46-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-45-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-44-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-42-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-41-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-40-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-39-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-38-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-37-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-36-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-35-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-34-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-32-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-31-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-27-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-26-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-25-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-23-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-71-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-54-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-22-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-21-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-20-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-18-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-17-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-16-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-15-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-14-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-12-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-11-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-10-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-9-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-8-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-43-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-33-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-29-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-30-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-28-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-24-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-7-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-511-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/1688-512-0x0000000007150000-0x0000000007250000-memory.dmp

      Filesize

      1024KB