Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 23:03

General

  • Target

    9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc

  • Size

    239KB

  • MD5

    9bfa07d40c837fd3a4fb4a7dbdfd058b

  • SHA1

    eef867b53ec53f7df7483bc895cc063e6c585d27

  • SHA256

    5d64009a7406933e47907c268730375d04872294a6f87853a1d4f464d113608e

  • SHA512

    22dfe970ea33d914849ef8e4282a81e8b1b0a7d67f7de79025353f5f20fe977ebb053cf9cc2199e521a2228a58bfa3a78e35858259b1d1e7f04285864f02b16a

  • SSDEEP

    1536:AterU1wDv/6MaETOgnHJcIKBC5bvzhQHrTP0yJK/dRYof35FF3rKCIAfMmlL:A/wDvWETOgnHJcIKBs7OQdS02YL

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2744
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3056
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1388
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:3076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      3d2909ad44e60e58000812e4087f651b

      SHA1

      4769f90ab94b6eead6b0f0bd006474b4fd40b8bf

      SHA256

      a5842dae65931b76ff13cc3dfd8810af9b599cec2e91a960d6d80958b0bceaf1

      SHA512

      516b03256e5c41df858455b5eda38222e105ed2b78161e7b426f8456032560b9711896727cd590faf2ec5ab076a4a5ac7982dd2916a63e13c42aa840c9cf8ff8

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1E17192B-1D62-466A-97AE-7762DDAFBDB9}.FSD

      Filesize

      128KB

      MD5

      ba6db1310622d8c713f379fd3bcbc03a

      SHA1

      ddd3aebca5bd0541c45376384638c814bcb37422

      SHA256

      54f08cf46b5ff6103de42df1f3db5b1f2f33f0de768e9c1fdefc2b9a7a5310f3

      SHA512

      4111dd13411763dc8393eb7127ff08ad921d6c1fbe4cb5ec0d6f2921706166fc322807e2e1fccbe3035775d958a7042ac1e1439b8791c8a7bf8ea06bb9d979d9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      48214c12a69e1616445d106494fa6673

      SHA1

      69d0c759a670c89020a07959de2b612727b653d1

      SHA256

      153529110004f0fb5ccba3ad978e7864aad6902d17def723614f7880f918758a

      SHA512

      9e18c86ea21f4bde08b9baa523e0ceb341f1a12ed658233262690c5e5764926cf794ea043938d9469614910375065f3afaaa07486fbdeebf011d2136727dbab9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      a12ed35f53202d0d7240f897981e066a

      SHA1

      937e89313506a5a6cc3e1425916558a3ef57de94

      SHA256

      f9a021d2e01318f654232e45f730164ab3d26c87866fe06c06fb909a0cec0c62

      SHA512

      5be6216c5d178fe4136a9d1dcef0da7207a3da80338a1091ec2f3e9f1b1ffd41f7c87ca2daa60e438e37874a1cd1833196421d304226cd3ec736264fd825d870

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0D277420-B6D9-446C-9104-4D2A3446973D}.FSD

      Filesize

      128KB

      MD5

      9a12a81dfc8a35b91db10dd21c0c1c8e

      SHA1

      ad305d6eea3486debe52d242d4db1a7fbda71b2f

      SHA256

      037882f0e8945badddc5baf384ed09d879c1b69b8adc0a6d26d7c35c19e95fa3

      SHA512

      1bbdbca8ed5c7f3bd1cbb76fb62ab75b4cfb3716f66c979ad950e51700cc43a7acddce51f32a7026c1ad1caa803e1dcf4b52f53532551fd90903a02fd5f69130

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      dd0123a85eabecad111910886c2872b9

      SHA1

      a911ae0f3b7f0d10a65c342c0e7fdb6e82125f17

      SHA256

      36b966789b7392b436ddf0dfc42eaa7e1479046295ce5d1b9ac543948efe6d63

      SHA512

      c47cc5f978edad548a49e7cf06ccc8e5b6bcb5bf3a36b98d3164400402927f4971fdeb5e5b87ad8d069cbf8d62b627192acd1f63b1aa8647b3f57fd880626951

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      9c8fd3a395f4d96a715f3fb2f34bdf32

      SHA1

      3f6b60e659be66d5409982c38f2603c4437e4130

      SHA256

      869717b9d2aa6210f68f6508701f3f0abf0897321ec88efee5b5f21ebd73c87e

      SHA512

      4fc809dfe2214ea77a991c52e3fc16812c5753794b10ec733880c481a3fb5403f2f2e03871c79dc460127853d16145588192a9d5703fb7a1e534ac9fbe0b2913

    • C:\Users\Admin\AppData\Local\Temp\{373F21E1-B4CA-48F6-8A49-470650B10571}

      Filesize

      128KB

      MD5

      4282750c9026ea41a5dd628330834190

      SHA1

      0046ac8444af2b1deb702b03f4c642f8a8e882d0

      SHA256

      c5b5ff96f6297412a144deacdafc83c653f6e13f73f4f1399825c1463cfcf413

      SHA512

      2331a49fa396d5321dac4fc254313197872c0933b74c10732a0ce836b793e3329359ee67ce7fa184e8c1557ead19bd9eb89f38be2dbc3261b5a1389a15dfa6b4

    • C:\Users\Admin\AppData\Local\Temp\{C365CC27-D318-46A7-88B8-505624E31061}

      Filesize

      128KB

      MD5

      21b8da56b159403f708a35eaab3c0825

      SHA1

      60719a70e65621487436bb14be60387a1efd6843

      SHA256

      69e6e70d56f037d5e031a99095b2a668f341f76fdfc43d0d2809e4f3a0354fef

      SHA512

      674fa652616fd22acb5e6939e42208ef3a143131f31504588f642842de33cf52879dc37f31bb0dc7a914436af9c91cde0676753160bda896f4ec865e014a3fbb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      259B

      MD5

      0ac9c717c0791e2abccd209d9766732b

      SHA1

      4c5cdd412ec03186fb86e231203ea90ac1d42fce

      SHA256

      3631545ddc56ffc1c940bac2073b7d7e295d9c9c6199b2c1c8d34c354b69ea42

      SHA512

      a6a57a5ccab29b42c6b74592af19b0fe8a2a4835ec9cd46b0050c39fdb476d5a32f690122a9c94b36a82332b61257e33b92f1479230de6df162829053c10331a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      510a40490d6a7393a89108f124b715cd

      SHA1

      27632aabf7ca5ce94e1274b6a0b0536aa444a3d3

      SHA256

      fe3f0bdf8ca2a54c7046bbfdfeaac455cca5230b22ec8351ad02866a52fa1911

      SHA512

      c48213d9d5ec5d9e3536053961507b63b7ac51a6b3e3329b6ea0b638d9eeac6b9516aa1003ae2dc21fdadfd7a700a15cb5a93a67abd39f57dd700a5f06ce3fdf

    • memory/1388-1049-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1043-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1071-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1069-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1068-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1066-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1065-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1063-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1062-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1061-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1060-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1059-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1058-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1057-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1056-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1055-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1064-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1054-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1052-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1051-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1050-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1067-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1048-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1047-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1046-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1045-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1044-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1070-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1042-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1041-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1039-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1038-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1037-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1036-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1035-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1034-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1033-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1032-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1031-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1030-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1029-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1028-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1027-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1026-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1024-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1023-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1053-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1040-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/1388-1025-0x0000000000500000-0x0000000000600000-memory.dmp

      Filesize

      1024KB

    • memory/2424-55-0x00000000048A0000-0x00000000049A0000-memory.dmp

      Filesize

      1024KB

    • memory/2424-5-0x0000000072F2D000-0x0000000072F38000-memory.dmp

      Filesize

      44KB

    • memory/2424-2-0x0000000072F2D000-0x0000000072F38000-memory.dmp

      Filesize

      44KB

    • memory/2424-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2424-0-0x000000002F591000-0x000000002F592000-memory.dmp

      Filesize

      4KB

    • memory/3056-1008-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB