Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 10:34

General

  • Target

    doc_main_12.docx

  • Size

    121KB

  • MD5

    f724ea66b1851e34bc39ca66b5805966

  • SHA1

    95ffbee0b86ccdb740e179d3126a087d4dbc68fa

  • SHA256

    ab1860985d98dc992cd8d33223286b86d70f926e49b99427eb01daedade1ac17

  • SHA512

    3fb0b6a0639f6b8318a3e4e5b7a0eedf30e8198020a17917ea7a58760bbe70025f885c9f2757852ef2fb5dcf0060ff93ba248b3670c07f260abf1d139c881d46

  • SSDEEP

    3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZxkCw:PLvB83+cySlVYmL6w

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_12.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      0dcf2ca5907f963a03e77ff3daa2ec5f

      SHA1

      6e1f802efa0bc9e6d0d4cf09123dc39eb23c992a

      SHA256

      ca842bc8bcc219cc61980d3452350777157a17480b8d5e01a903a36381b02945

      SHA512

      26ec58a689a708f608ea25471d41e84ada53cb13447d6a20bd93168b7572f1884bca783f6f8b73357f6d02d1416bd620bc17ebacd49851922a7ff1d22fd28de8

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{65DB2DF3-7DCC-438F-9FA4-32BBB92301EF}.FSD

      Filesize

      128KB

      MD5

      ea0a843a3c64fd757b80d732a57cbd1a

      SHA1

      8be3314940e0ee2b9e00fb6f9621294770216d32

      SHA256

      3e9fda96c9a5d18e854a0b16386e77d463ae8a83519247d1355f040ead9f462e

      SHA512

      6e96f495eda29fa5feda1dc03266bed789ce07af6ad8651cda4947b75b76e75f4dc62efad1178b226958ec1e27dd4d116d09e44054cd12386cfd459a5c2dd462

    • C:\Users\Admin\AppData\Local\Temp\{7EE5B52B-0A6E-48F8-A3CD-021BC042A17B}

      Filesize

      128KB

      MD5

      c800743190bc9bc41358adb6de3e882f

      SHA1

      f251d2267997e6f9f734f0f351750a8270bb12c5

      SHA256

      10a72532d0f893ac2d7aa14523f50e6b8af12662c34a274f98895c2b572bcc7b

      SHA512

      8d39bb4b6a35b5b722c0fbcc37bb5854e8b1919727dfadbff441af7559dfb6d9a343838de9afe6b8d7a85d281ee16bef2e23cfb932ab719159089c405d058069

    • memory/2064-0-0x000000002F511000-0x000000002F512000-memory.dmp

      Filesize

      4KB

    • memory/2064-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2064-2-0x000000007343D000-0x0000000073448000-memory.dmp

      Filesize

      44KB

    • memory/2064-62-0x000000007343D000-0x0000000073448000-memory.dmp

      Filesize

      44KB