Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11/07/2020, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
raccontare.07.08.2020.doc
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
raccontare.07.08.2020.doc
Resource
win10
0 signatures
0 seconds
General
-
Target
raccontare.07.08.2020.doc
-
Size
134KB
-
MD5
bcc82032ede3c935fd6e7c1deb1ad072
-
SHA1
33e69f3c2a77b369421bbd315f5ed2d2e94160a2
-
SHA256
2b276d5638fef9e9774853b42fe3626c15a13653423c2da87638f725b687696b
-
SHA512
aa491163724907095ca85bced842f203e70c843f0d1eeb1b10bfd8f81684169297ee92f07de2451f03f1463075ca51795446fcc5faacdc0dd67971edbbc0cb52
Score
10/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 376 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1116 376 regsvr32.exe 23 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 376 wrote to memory of 1116 376 WINWORD.EXE 28 PID 376 wrote to memory of 1116 376 WINWORD.EXE 28 PID 376 wrote to memory of 1116 376 WINWORD.EXE 28 PID 376 wrote to memory of 1116 376 WINWORD.EXE 28 PID 376 wrote to memory of 1116 376 WINWORD.EXE 28 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1116 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\raccontare.07.08.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\64632.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam
PID:1116
-