Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
38s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09/07/2020, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77.doc
Resource
win7v200430
Behavioral task
behavioral2
Sample
aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77.doc
Resource
win10
General
-
Target
aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77.doc
-
Size
132KB
-
MD5
af25d98ae8d414145376cd8f1a30cc91
-
SHA1
3564e94e0d449ed7dd5c0013dc11b7efdbd9b13b
-
SHA256
aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77
-
SHA512
4e35717e9d242f81244eb4d7809945d6bc36e2655a5a2f8873a062a7be0c2c34e518ad330cf7297306f691a5c4a9215c9162c8e2eed486bb1467a698a5bb0a91
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 676 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE 676 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1716 676 regsvr32.exe 23 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 676 wrote to memory of 1716 676 WINWORD.EXE 26 PID 676 wrote to memory of 1716 676 WINWORD.EXE 26 PID 676 wrote to memory of 1716 676 WINWORD.EXE 26 PID 676 wrote to memory of 1716 676 WINWORD.EXE 26 PID 676 wrote to memory of 1716 676 WINWORD.EXE 26 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1716 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\19165.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam
PID:1716
-