Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3MsiZap.exe
windows7-x64
3MsiZap.exe
windows10-2004-x64
3adfind.exe
windows7-x64
3adfind.exe
windows10-2004-x64
3croperdate.dll
windows7-x64
3croperdate.dll
windows10-2004-x64
3croperdate.exe
windows7-x64
10croperdate.exe
windows10-2004-x64
10croperdate64.dll
windows7-x64
1croperdate64.dll
windows10-2004-x64
1doc_main_0.docx
windows7-x64
7doc_main_0.docx
windows10-2004-x64
1doc_main_1.docx
windows7-x64
7doc_main_1.docx
windows10-2004-x64
1doc_main_10.docx
windows7-x64
7doc_main_10.docx
windows10-2004-x64
1doc_main_11.docx
windows7-x64
7doc_main_11.docx
windows10-2004-x64
1doc_main_12.docx
windows7-x64
7doc_main_12.docx
windows10-2004-x64
1doc_main_13.docx
windows7-x64
7doc_main_13.docx
windows10-2004-x64
1doc_main_14.docx
windows7-x64
7doc_main_14.docx
windows10-2004-x64
1doc_main_15.docx
windows7-x64
7doc_main_15.docx
windows10-2004-x64
1doc_main_16.docx
windows7-x64
7doc_main_16.docx
windows10-2004-x64
1doc_main_17.docx
windows7-x64
7doc_main_17.docx
windows10-2004-x64
1doc_main_18.docx
windows7-x64
7doc_main_18.docx
windows10-2004-x64
1Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
MsiZap.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
MsiZap.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
adfind.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
adfind.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
croperdate.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
croperdate.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
croperdate.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
croperdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
croperdate64.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
croperdate64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
doc_main_0.docx
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
doc_main_0.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
doc_main_1.docx
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
doc_main_1.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
doc_main_10.docx
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
doc_main_10.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
doc_main_11.docx
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
doc_main_11.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
doc_main_12.docx
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
doc_main_12.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
doc_main_13.docx
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
doc_main_13.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
doc_main_14.docx
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
doc_main_14.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
doc_main_15.docx
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
doc_main_15.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
doc_main_16.docx
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
doc_main_16.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
doc_main_17.docx
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
doc_main_17.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
doc_main_18.docx
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
doc_main_18.docx
Resource
win10v2004-20241007-en
General
-
Target
doc_main_17.docx
-
Size
120KB
-
MD5
3385539be81277524f7544ec50ec64d2
-
SHA1
ad9ce8f19e5e9443f4f931b5cfc0ad1a6dd0fa9d
-
SHA256
88c4e69990bf79f0d77b2d524ed2ec146f8f20e4ecad0a1f39eddd32b3ab3315
-
SHA512
886f4a61baeb5e00a19638b41a7ae2e497f76faf12a11279f9be1777c9c0784b3647404c5cdd801a0a1cb4d5f5a026664f6c155e42ce5799af247b6b20d674ce
-
SSDEEP
3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZJP5zgy:PLvB83+cySlVYmLGPNgy
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2364 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2364 WINWORD.EXE 2364 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1092 2364 WINWORD.EXE 33 PID 2364 wrote to memory of 1092 2364 WINWORD.EXE 33 PID 2364 wrote to memory of 1092 2364 WINWORD.EXE 33 PID 2364 wrote to memory of 1092 2364 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_17.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD580a71d83ca4f979ccbc79f1dc45fe14d
SHA12c26f71393b22f9ed61a8b32e1bb42a2fd341c63
SHA25646f103d8d54ce2a98d960aa6c25896076c80cbd08cf287e358583a6d880abeed
SHA5125c96b183a7c4f1a60a28d52775dcfd4dbb83ef9bff11b7bae6e987f6ff77b83ea6e41388b7ac9ca655c3735652022e33a3dbef3be28c8788fb7ba16f698a476d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D3568DDD-5E86-41E8-A273-831A9D28D5DE}.FSD
Filesize128KB
MD585ac02f318301f4fed1e2f9aa9e3ba22
SHA1133652efa46daa2a79876d20b34ebc03c264d0ef
SHA256a44637ad113975fd07c7a065b877e18af8cc39308d47ef103735ba008cf2af2c
SHA51248d793b473af6bee34a72e5415146749d400b42f443a1af6c529dde9bd5c1b39bdc36e019e94911d316445b5e5faa266c07c912c6bf4ba9c60d201a70a49a98a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD52ffcd7f337061febb899e67bf27a8730
SHA1eccc1392d6a3a54e6dc0a5d93511a91fc49f10b6
SHA25645b43254fec2436b1846edd035a0068f962fc87fdd2239a684b0047c4e2cbff6
SHA5120d8d61bb1ba49e083ce9897e6f06a85ad728ca0ffbabc09794f0542563fe5f81039e1e5f8fca93409e9085249b3ea227fe1910c2297dd88822f7ffbd2b880948
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5754746E-9F00-40DE-82F1-FC79A219F2C6}.FSD
Filesize128KB
MD5393466c517873e3de2c6ab14b1d58ab8
SHA11f8000b5942c3b1adf1ced89b79ddcc46f63f6e2
SHA256fbbc4a629cbf78c1820c4f3280b69e00fd1789e032f6cc18f742228d31e59bd1
SHA5120f42e1d6e02f57c8fe35eb7d653c5999389e7ea392a84a7d1cbac995dd37c4c5b0f41a1c1b76ed193a8e0f322e130c700d93d63fc9e4fa0cefd4144652f9be99
-
Filesize
128KB
MD549fb2d779d39d30e1cc7bdc0a501d3bb
SHA169e50ca05b7da55413bc7ce3467c1bc2dbf9e7be
SHA25610f445fda71bffe0f9357ca965af47a9651129fca48546ce1cdf7a2c2b9146f9
SHA5125ea1e86769b516af59fd052c53d0c40ab051d5883cbad9cef6c5ccb7d9cbdd3748276fb17069bb63f009fc36f5f765de99a1473377e0be9e8b40551b14e4f3ea