Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09/07/2020, 10:44
Static task
static1
Behavioral task
behavioral1
Sample
91154f00f6a9b655f48a2e5988b92a66d07aaffc252150298a19e566cba9e694.doc
Resource
win7
Behavioral task
behavioral2
Sample
91154f00f6a9b655f48a2e5988b92a66d07aaffc252150298a19e566cba9e694.doc
Resource
win10v200430
General
-
Target
91154f00f6a9b655f48a2e5988b92a66d07aaffc252150298a19e566cba9e694.doc
-
Size
147KB
-
MD5
888dced0beca26f8f50fe090dacae376
-
SHA1
3f483175ebf4e45923ad12d4f3769e96dc1166c6
-
SHA256
91154f00f6a9b655f48a2e5988b92a66d07aaffc252150298a19e566cba9e694
-
SHA512
7a00d75b63d9d907c73eb9076b1092c86b912229a01a81c800ec672c3ed63f749d323cead32609c24296fae69ebb0110de242635198bb1c8765c51fc05491c11
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1520 wrote to memory of 3852 1520 WINWORD.EXE 71 PID 1520 wrote to memory of 3852 1520 WINWORD.EXE 71 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3852 1520 regsvr32.exe 67
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91154f00f6a9b655f48a2e5988b92a66d07aaffc252150298a19e566cba9e694.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1520 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" EA.tmp2⤵
- Process spawned unexpected child process
PID:3852
-