Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3MsiZap.exe
windows7-x64
3MsiZap.exe
windows10-2004-x64
3adfind.exe
windows7-x64
3adfind.exe
windows10-2004-x64
3croperdate.dll
windows7-x64
3croperdate.dll
windows10-2004-x64
3croperdate.exe
windows7-x64
10croperdate.exe
windows10-2004-x64
10croperdate64.dll
windows7-x64
1croperdate64.dll
windows10-2004-x64
1doc_main_0.docx
windows7-x64
7doc_main_0.docx
windows10-2004-x64
1doc_main_1.docx
windows7-x64
7doc_main_1.docx
windows10-2004-x64
1doc_main_10.docx
windows7-x64
7doc_main_10.docx
windows10-2004-x64
1doc_main_11.docx
windows7-x64
7doc_main_11.docx
windows10-2004-x64
1doc_main_12.docx
windows7-x64
7doc_main_12.docx
windows10-2004-x64
1doc_main_13.docx
windows7-x64
7doc_main_13.docx
windows10-2004-x64
1doc_main_14.docx
windows7-x64
7doc_main_14.docx
windows10-2004-x64
1doc_main_15.docx
windows7-x64
7doc_main_15.docx
windows10-2004-x64
1doc_main_16.docx
windows7-x64
7doc_main_16.docx
windows10-2004-x64
1doc_main_17.docx
windows7-x64
7doc_main_17.docx
windows10-2004-x64
1doc_main_18.docx
windows7-x64
7doc_main_18.docx
windows10-2004-x64
1Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
MsiZap.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
MsiZap.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
adfind.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
adfind.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
croperdate.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
croperdate.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
croperdate.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
croperdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
croperdate64.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
croperdate64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
doc_main_0.docx
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
doc_main_0.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
doc_main_1.docx
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
doc_main_1.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
doc_main_10.docx
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
doc_main_10.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
doc_main_11.docx
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
doc_main_11.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
doc_main_12.docx
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
doc_main_12.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
doc_main_13.docx
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
doc_main_13.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
doc_main_14.docx
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
doc_main_14.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
doc_main_15.docx
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
doc_main_15.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
doc_main_16.docx
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
doc_main_16.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
doc_main_17.docx
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
doc_main_17.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
doc_main_18.docx
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
doc_main_18.docx
Resource
win10v2004-20241007-en
General
-
Target
doc_main_12.docx
-
Size
121KB
-
MD5
f724ea66b1851e34bc39ca66b5805966
-
SHA1
95ffbee0b86ccdb740e179d3126a087d4dbc68fa
-
SHA256
ab1860985d98dc992cd8d33223286b86d70f926e49b99427eb01daedade1ac17
-
SHA512
3fb0b6a0639f6b8318a3e4e5b7a0eedf30e8198020a17917ea7a58760bbe70025f885c9f2757852ef2fb5dcf0060ff93ba248b3670c07f260abf1d139c881d46
-
SSDEEP
3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZxkCw:PLvB83+cySlVYmL6w
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2064 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2064 WINWORD.EXE 2064 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2016 2064 WINWORD.EXE 33 PID 2064 wrote to memory of 2016 2064 WINWORD.EXE 33 PID 2064 wrote to memory of 2016 2064 WINWORD.EXE 33 PID 2064 wrote to memory of 2016 2064 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_12.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD50dcf2ca5907f963a03e77ff3daa2ec5f
SHA16e1f802efa0bc9e6d0d4cf09123dc39eb23c992a
SHA256ca842bc8bcc219cc61980d3452350777157a17480b8d5e01a903a36381b02945
SHA51226ec58a689a708f608ea25471d41e84ada53cb13447d6a20bd93168b7572f1884bca783f6f8b73357f6d02d1416bd620bc17ebacd49851922a7ff1d22fd28de8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{65DB2DF3-7DCC-438F-9FA4-32BBB92301EF}.FSD
Filesize128KB
MD5ea0a843a3c64fd757b80d732a57cbd1a
SHA18be3314940e0ee2b9e00fb6f9621294770216d32
SHA2563e9fda96c9a5d18e854a0b16386e77d463ae8a83519247d1355f040ead9f462e
SHA5126e96f495eda29fa5feda1dc03266bed789ce07af6ad8651cda4947b75b76e75f4dc62efad1178b226958ec1e27dd4d116d09e44054cd12386cfd459a5c2dd462
-
Filesize
128KB
MD5c800743190bc9bc41358adb6de3e882f
SHA1f251d2267997e6f9f734f0f351750a8270bb12c5
SHA25610a72532d0f893ac2d7aa14523f50e6b8af12662c34a274f98895c2b572bcc7b
SHA5128d39bb4b6a35b5b722c0fbcc37bb5854e8b1919727dfadbff441af7559dfb6d9a343838de9afe6b8d7a85d281ee16bef2e23cfb932ab719159089c405d058069