Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 19:10

General

  • Target

    9b4554b39a888954f5c77cb0eaf0df26_JaffaCakes118.doc

  • Size

    238KB

  • MD5

    9b4554b39a888954f5c77cb0eaf0df26

  • SHA1

    89b7a87dd52ed5040741a867000404783c388adc

  • SHA256

    ff3abd547bbac577c8dfa13433f00fea54dccf71bdbf46d3cc96a1dc1a7b4e79

  • SHA512

    bfc266e0a94a35c9bacfa8d609f0d02960e065699b14c5ea1e1591bbf60beac81d7a20230cad9393d1a80e069691f74057fff83f097c86aab9bfc1025fcd1e14

  • SSDEEP

    1536:XterT1w1vN8M/EfOgnPJceKBCwbaxEHrTPAyNK/dRYf+ZnjO3zzdrIhD:XAw1vPEfOgnPJceKBDaSYdSlal

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b4554b39a888954f5c77cb0eaf0df26_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2248
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2840
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      8e72fffaec881140f20b9b17ed8f2607

      SHA1

      898599a42e0774c738f2b973be727f0908e1cbfc

      SHA256

      2297f03c877fcf7db677590708d612c5087c8c04dc27e5a70673cd99de9e83ec

      SHA512

      b27ce47fd3ffa2a78e6f5a9be3682fb93039365c3ba6b2e8526149d30d4c9cbc00c08b7056dd3cb5e8674847430e442430f7503b3dd59594e8d796f488ba6aa6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C4AE037E-34DA-4A54-8E61-303C8A524C74}.FSD

      Filesize

      128KB

      MD5

      6e8de4ed5b8dec957b17b60d73e70304

      SHA1

      39896c753d5d9f8631d9e9be0cb5974054c52d83

      SHA256

      be8accc689ccd091ced063278be25abc8c0db83c5dfce09771151ca7f22679fb

      SHA512

      f7eb704e38c8535fde0a7647c1bcc38a6d71775f97a37af57d278d0a273a660cec6d7559cc7ad9918fb2f99deae3814587abc6ad5970b3c45bcc871da080ac0e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C4AE037E-34DA-4A54-8E61-303C8A524C74}.FSD

      Filesize

      128KB

      MD5

      444db8b609c53829a8220e0de8712df8

      SHA1

      3e8897ef94f40082337de342f6f458afb33be9d9

      SHA256

      c760190e22bd3ea6fba8b6d25c1416687d58693a6d1df6f3256d3afd5c90916c

      SHA512

      a583bc47600b5de34005179e10701559b2a1afae5e7c343148dd0b1cb4b2588ddeddeee7dd047263c41a82cb01ed12b5f21bd9b3ceae60945d7c1c464a5562bf

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      fb296f108c4ec9efa19e41dfc0e472bb

      SHA1

      9888aaa52aa23ad18e9a6d35dd57c9a5d812a67f

      SHA256

      abf7f26ca00a173588b32a282a4af617ecc10a6ea9c1ee1008ba1e57e0dabe7d

      SHA512

      d1f4fa6f7154483f7a9cc8f2bdedbe4cca77d9fb476ada4e52eadac9b3738cd3f6edc5f31d3cca136520251318730ec752260b7d91a5d9ff73f053ce16f92f35

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      b671017517930948d123ecbabc03eb4f

      SHA1

      77530e759da4dbc5641df57b16bdeadc0217eaef

      SHA256

      6eece09df684be77760547f3e52e14e027fe39d2e753815ec60e06bca6ed6837

      SHA512

      d35ce05ab38dc135215f61d63a842ab69b7ae455f926df464e4fad9dba9e956eb898f4aceb1ee6c6eccc1459d15eee70a7f6145a8cba226b26e1ed4af1e321be

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BEC422B5-D4DD-4EEC-B703-AEAD70B7DC6C}.FSD

      Filesize

      128KB

      MD5

      a276bd5108eb10db35276ac5f2fbed77

      SHA1

      de3cdc4c0bd599f7670cde9aa5478f22abf09fd5

      SHA256

      bd98941f5c2c94bb1365da3921d96fb56cb0e8369303653bc1a4b0dc721738ec

      SHA512

      3677783f1f6e557d07a354fafe550e70cece632a7730de1bb18117cce0792241fa6b96115e172dd2ba24d1f7c27d1588bd6d3b593c93dea2a0e13cfd46573685

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      c3d1a44b84dcfb68e48ca117a306b766

      SHA1

      c71849ff8915d701ee1eff10832715f2582819b6

      SHA256

      f99a62929d79ec10606aa06f2d25e9e800257b1ca6bd4b81a6352c483d2096ab

      SHA512

      04e748b70d67380a99c40814f95924bbcc557bd9bd225979a2efbf2f774c2e1ef7e1af5eea5cecfe13e205e07557b0da00fd272abaa8094f5cfa9225238ec6bc

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      112435b10e96968d48617d6d59dd6b7d

      SHA1

      c28a43a49269c6f91357d0acf2e1ad09f1343ff3

      SHA256

      7b500fdfc28c602fdf8bcb3d34954b1ef2550bf2c54d50612e996b5f0f267ccf

      SHA512

      d6335e6ca4434f66e5a08c9bcbc86ad4920fd2eff58c6b82ca8cce83c523063b1b2039a2c726f0935a52e1a8462c19c81208a10be899cc3affd0577ad991ee6e

    • C:\Users\Admin\AppData\Local\Temp\{4DBDFA2A-31D5-4DD5-8393-2B5ECF38C044}

      Filesize

      128KB

      MD5

      a9b1cdbf93f08e9be4ec866bbbe204b0

      SHA1

      6954494441f8e9ecb0241195678dab4be71c8fef

      SHA256

      7dfc30720c34e18558aead4406eb2e22e5888e0b2f2532812466f283c1d05550

      SHA512

      0a6c4e9baab3f0d014fb581e72ae7660059b2a872b3f5c1545d1c249ec278a6aba53f1ae98feebf2d6130c616fbb2eb911c340ae4ced392dd32dfe797280c8c3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      f7cead06f753114befa377273ea7bec3

      SHA1

      a5abddbf30472d3fec88bc286c1dbcb0967af698

      SHA256

      c7f8e50218cb1fcc72ea7329cb19f99c0a3538d5d69b918dfa2fee7b0c0d8388

      SHA512

      b6871ea62f57b30992885f39de5924c080e3bebe903a3daef02674a3f8c9e8fe9064af3c5be1bf24c275e98b4e8e03923aa3c7eff440d16eed146c16dc213656

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2608-1014-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2692-60-0x000000000F4A0000-0x000000000F5A0000-memory.dmp

      Filesize

      1024KB

    • memory/2692-59-0x0000000000780000-0x0000000000880000-memory.dmp

      Filesize

      1024KB

    • memory/2692-957-0x0000000000780000-0x0000000000880000-memory.dmp

      Filesize

      1024KB

    • memory/2692-9-0x000000007185D000-0x0000000071868000-memory.dmp

      Filesize

      44KB

    • memory/2692-2-0x000000007185D000-0x0000000071868000-memory.dmp

      Filesize

      44KB

    • memory/2692-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2692-0-0x000000002F081000-0x000000002F082000-memory.dmp

      Filesize

      4KB

    • memory/2840-1071-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1061-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1034-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1039-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1038-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1037-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1036-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1035-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1073-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1078-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1077-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1076-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1075-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1074-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1072-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1033-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1070-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1069-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1068-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1067-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1066-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1065-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1064-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1063-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1062-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1053-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1060-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1059-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1058-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1057-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1056-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1055-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1054-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1052-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1051-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1050-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1049-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1048-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1047-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1046-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1045-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1044-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1043-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1042-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1041-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1032-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1031-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1040-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2840-1030-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB