Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
09/07/2020, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
525e790f37cf273bde111e74f58d80647a0dba23ed706550a162d7fc49a97997(1).doc
Resource
win7v200430
Behavioral task
behavioral2
Sample
525e790f37cf273bde111e74f58d80647a0dba23ed706550a162d7fc49a97997(1).doc
Resource
win10
General
-
Target
525e790f37cf273bde111e74f58d80647a0dba23ed706550a162d7fc49a97997(1).doc
-
Size
147KB
-
MD5
0b486db36068513a35aff302398ac452
-
SHA1
35b3dbd4ee63b8f17f94905a7470fe1dec7ab14d
-
SHA256
525e790f37cf273bde111e74f58d80647a0dba23ed706550a162d7fc49a97997
-
SHA512
51e2ebdebf9faa3a78a6f28eabb0a3d6abe43add7b9b9e890165166e1fb6bed432ee50f1891f6e3c5eeb92bc5e0ef6157671f1b68a1a7d7a9fa1350496b71367
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 860 3180 regsvr32.exe 66 -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3180 wrote to memory of 860 3180 WINWORD.EXE 71 PID 3180 wrote to memory of 860 3180 WINWORD.EXE 71 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3180 WINWORD.EXE 3180 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\525e790f37cf273bde111e74f58d80647a0dba23ed706550a162d7fc49a97997(1).doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3180 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" ww.tmp2⤵
- Process spawned unexpected child process
PID:860
-