Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 01:02

General

  • Target

    985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    985b1fff593020af8a5dab1b9a431863

  • SHA1

    1649a3103088c85fc304760c552f8bd30b7a7502

  • SHA256

    15dd0ac560d8c37a7b49998aef5111f5615cbd1c3ff7e570e387684ffde709af

  • SHA512

    af573a28c12016fade1ead01386f493d8fc7e09b951058095697cdbb19b692d9b35a78d514840f4673473369d0f1999981a133b3057b24a19901f660c7a3f445

  • SSDEEP

    1536:ctPrT8wrLT0NeXxz1Dwe2HrTPNyD5J8bPtjhMEbFXk3mdYis/:c2w3keXxz1Dfug4qEZX0L9

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3044
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:504
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:864
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7b9b5f7d2eec531785a425ece63ed525

      SHA1

      a37e0897603ab10fc636af83010cc6b45bd0becb

      SHA256

      0e697356402470a26b76c0b60dd0c4ad4abaf96f9663b1d59c11b47ba4afc4da

      SHA512

      18e4e21e3a0ab8f3a232a0e96e770a736b1fc08cb60014a836d45284bb8054fbd4780cd8bb815596c926ee163084f4ddf8760276e1d4eaf4290baa92709196b6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4EBC3FF6-3874-44BB-B795-2EDBE190D48C}.FSD

      Filesize

      128KB

      MD5

      d0683f7befebe2adca76123e3d279545

      SHA1

      aad650f68190d9b2d9479d9732720c0a13a83389

      SHA256

      063d0c5e23e21d865211f2924af9a4c0ddba3aad9ba03556b1e38a1b12d497de

      SHA512

      9b1d47889297109a6e77c395e9b6ad8c5556dc765d066faaf6ea13d7ef6b81acaabae21c7d3d6ae37b57fca188e71fd7a541f6966671148501ef63de266e0c8c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4EBC3FF6-3874-44BB-B795-2EDBE190D48C}.FSD

      Filesize

      128KB

      MD5

      37d1b12e109404ee2a5eb275201e8751

      SHA1

      215de708019cd620ef6051dd70f99f10fee93d73

      SHA256

      7e861fc9ca466f14482da988fc42ee256cc8727eba68a06759d39b3f6c549194

      SHA512

      c69ae0e1dd659c7d96dd86dddafa753be10d013c4946a653c521b62d39ef99cd24f1ed1e940b3c88a834d7a3bf76546f6a7e8c43168d12cda106bb7641d4c537

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      702fb6262a02c67c1cb1c4da00de3c3d

      SHA1

      cf4413f4843648912f1c5baa59d5eec563bc20da

      SHA256

      6a11022b3ee7faa0d84cdb788816b6648c80eb627847fe4cf4b447c8ee081dd3

      SHA512

      0a769a8ac856c46600678de9b892329d6d1f177f6a9a89c8dcaf524163786f9aa5a743e71b5f6d39017e9577b0a9b0628c27d54520c23395d0b58e921ada2cb8

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      303f1e42012341ff8d81d3a7a8f6a530

      SHA1

      14c04b0c1c6d93fc619053751604eae0b8f42e26

      SHA256

      70be1be1f2c2bdeec2256197025d4a9dcf22be8ff0b3f92b261bd8d6805a9890

      SHA512

      a2cc91f0bb94741fccfca58cbca6e10108b35cd41c32282b312973875bfe6a0bf06ac04302ea3ddfb6bd82d15e830bd6b2346dd9d84ba65bed7d2a4853b288e0

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4353EB84-202E-4476-A9C7-47E014AAD3DB}.FSD

      Filesize

      128KB

      MD5

      96e6c8cdd1cb5e8750b9131a9a5b46dc

      SHA1

      c83df4b6bb7ff9de1dbd8b106e241a7767a9cfd7

      SHA256

      a3a1b38c228d2153671d99c04f802a50246edf7fac7c7df00d5f384acb51c923

      SHA512

      1b8cfb4313024e7f7c796a7281c5cca4027098ec3329c2bb098f0664a275f0f8746cd25bf08d4bd4be97d39ae3306aa23e1d1cb3e7cc576bc481aa955cfb6e64

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4353EB84-202E-4476-A9C7-47E014AAD3DB}.FSD

      Filesize

      128KB

      MD5

      1647641da8580f1a6a53b83c2820b7fa

      SHA1

      2ffd2f769a144bfaba7619583e8f4cba07f7e0bd

      SHA256

      cbf75d702b65f06f7ae5c007d12037217e3f83de7cc5864ac2361cf710f6b2f5

      SHA512

      5b5e5c7875c0755be6fc29fbcd35316f85ab5a2a895dbc773dd75ce06f9393f44c787b6fd07cae1f5e2d0c01bc28fd5a06e1264fd47afdd4755a38e3e9bb9ba2

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      d18dab793bfa7fb17cac5a94652fd57c

      SHA1

      32c1693d212dce8f4fcdef85d9d638c8481f7545

      SHA256

      d689b389fbc5f24162d93ec89015b0c06644b11c6c2815ad426bee81382bbda4

      SHA512

      a2a16f13c46b7efd77d71ae6f4b3130713b80be6caef33f4a94791405cd0fb3401697851690cba42c0bb5ecff750c251d78c4876d37ebf04a94fe87b2f77876d

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      a6f367f5200ee24fd797862a0250adab

      SHA1

      e7142823350c42942c5b2de902cfc4ccc19e6e7d

      SHA256

      a7903858455d3e4dafc50450a6ccc6137b95e846458fa9518473504958d4d83e

      SHA512

      7bfc5212b78557713dad9a4eeb20ad5c981e966efa799e486248681bee28de0a5f389056a5a2dadd1c6386d8e78bc63bf0d84adc3df876f6d8454cc5a5233134

    • C:\Users\Admin\AppData\Local\Temp\{5639E7B1-8E06-4A69-99A5-1992C6853266}

      Filesize

      128KB

      MD5

      fec7f22f9168935f75a2605d2e9caaab

      SHA1

      e592df17edba3af1a7530f769cc2dd902ff889c2

      SHA256

      70a211d05ad59520cfad5651a071b5616dff720c3cb1a167508523aa879b6cea

      SHA512

      2ad025e945586782227a7fc13504f14816d35a17d218e7e4023a991c29225e697d31c08f6547ebf772ac05cb37c414dae072cc3607abb36e64ec837fabe399bb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      27508a364854ac2dd6ea56b63d92b19e

      SHA1

      0d1df62a2a646dc80fa60eb0591f8230439d54ec

      SHA256

      2e672559864a437e943d55cbeeacf35fe37088b51f2250e588e9e0ca4a03a980

      SHA512

      64df4e63f381c7f100c67bb87b26fa9a27fb45e17ab4f7617c3331825bc2637ae7f5658ea1460beac0f44f44353c17e7fcbdf1aff3b9cea619c0d7281aa489aa

    • memory/2368-0-0x000000002F991000-0x000000002F992000-memory.dmp

      Filesize

      4KB

    • memory/2368-55-0x0000000004D30000-0x0000000004E30000-memory.dmp

      Filesize

      1024KB

    • memory/2368-5-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

    • memory/2368-2-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

    • memory/2368-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3044-1014-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB