Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3MsiZap.exe
windows7-x64
3MsiZap.exe
windows10-2004-x64
3adfind.exe
windows7-x64
3adfind.exe
windows10-2004-x64
3croperdate.dll
windows7-x64
3croperdate.dll
windows10-2004-x64
3croperdate.exe
windows7-x64
10croperdate.exe
windows10-2004-x64
10croperdate64.dll
windows7-x64
1croperdate64.dll
windows10-2004-x64
1doc_main_0.docx
windows7-x64
7doc_main_0.docx
windows10-2004-x64
1doc_main_1.docx
windows7-x64
7doc_main_1.docx
windows10-2004-x64
1doc_main_10.docx
windows7-x64
7doc_main_10.docx
windows10-2004-x64
1doc_main_11.docx
windows7-x64
7doc_main_11.docx
windows10-2004-x64
1doc_main_12.docx
windows7-x64
7doc_main_12.docx
windows10-2004-x64
1doc_main_13.docx
windows7-x64
7doc_main_13.docx
windows10-2004-x64
1doc_main_14.docx
windows7-x64
7doc_main_14.docx
windows10-2004-x64
1doc_main_15.docx
windows7-x64
7doc_main_15.docx
windows10-2004-x64
1doc_main_16.docx
windows7-x64
7doc_main_16.docx
windows10-2004-x64
1doc_main_17.docx
windows7-x64
7doc_main_17.docx
windows10-2004-x64
1doc_main_18.docx
windows7-x64
7doc_main_18.docx
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
MsiZap.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
MsiZap.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
adfind.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
adfind.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
croperdate.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
croperdate.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
croperdate.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
croperdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
croperdate64.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
croperdate64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
doc_main_0.docx
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
doc_main_0.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
doc_main_1.docx
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
doc_main_1.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
doc_main_10.docx
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
doc_main_10.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
doc_main_11.docx
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
doc_main_11.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
doc_main_12.docx
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
doc_main_12.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
doc_main_13.docx
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
doc_main_13.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
doc_main_14.docx
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
doc_main_14.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
doc_main_15.docx
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
doc_main_15.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
doc_main_16.docx
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
doc_main_16.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
doc_main_17.docx
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
doc_main_17.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
doc_main_18.docx
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
doc_main_18.docx
Resource
win10v2004-20241007-en
General
-
Target
doc_main_16.docx
-
Size
114KB
-
MD5
d1cd86a4572904aa404db206145ca5e9
-
SHA1
f23229508e921464239d47847a1ede463ab23f3a
-
SHA256
cf6de01b3d6fbf8bbf229cd6b0b15dc100fcfdbda8899de0fccb632ff0c72311
-
SHA512
127a16d3eb9420e0936c7311e6dc85629d894c63b7a259435182ec4229bc1066f58afbd100d46ee8581aa03ee16287fbee2edaf7007e3926cd57a463a5234d7d
-
SSDEEP
3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZm:PLvB83+cySlVYmLl
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2384 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1744 2384 WINWORD.EXE 32 PID 2384 wrote to memory of 1744 2384 WINWORD.EXE 32 PID 2384 wrote to memory of 1744 2384 WINWORD.EXE 32 PID 2384 wrote to memory of 1744 2384 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_16.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FAEF7007-4653-433B-8AD7-629738DD3E31}.FSD
Filesize128KB
MD5d9148779860374e8f15bd69b145e53d8
SHA15269cb541207315c77cc52e31f3861a4b54eec50
SHA25681f6d91d1a54574a8513f0b3e35046cb626adba2cdfba848873b87fdc415b4a7
SHA512ab37d3927f70306c0f318c2d3a4249181d331cae8a865625a229f11efc544cc9eed1b8b6891bd8f44ec51a299047ea4e902575edc4d7b06a389d08d279b8fbdf
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD50eb57cc39d619a88c3667adf990c8feb
SHA12bcf60b10ebae38036971f9e0a73fad90f55b45b
SHA2564d7608e48a8d90e82c723a8883b243913a218c75f0b1e0281cae4e7ccff7bb17
SHA5127fc3d91e5e4f27aafbad472ceed8a5b316d09767d033af5106736768571f2cf8051f12f87546827c7224ab083458b1c26c3886616c16dbe8319532cd7d70c320
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{59AEDECC-5A2F-4A8A-85A1-8D9B32E82570}.FSD
Filesize128KB
MD5c0e34faded85c4a2d40b7e379fb3adb7
SHA1b7f567b6d21631a604c7e12de4c57d756da63deb
SHA2561238255ae696d3728cbdc4a2c8c66f939b3cd04c38c4b61a41c315d7d8497f19
SHA512397e25c040fbc8390f24e9923e6d1a2bfe7f3d822c9b5ef7658ee635490dfcd6d31f23d259c7ce2832fb60e22105afd9fa159ae11b96a308f82fb7efcc46ea9f
-
Filesize
128KB
MD5c36d97de4d624a78c773b10c0c8ba55f
SHA1d1307099f0848dd6536bae406750b210e55ced54
SHA25632dab6438f883b4b7f6070de63417913d2d8fd5016b2e92216a306ae0c8d73ed
SHA5121630009322fe55909e8ccd284eed4f12f3f4a60d30f0002143b89abe50b2e581ce04f96b2533122de5e3e017c05995c1291326879ad52021eb75d3455228320d