Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2022, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2017-11882.123.32131.4479.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2017-11882.123.32131.4479.doc
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.CVE-2017-11882.123.32131.4479.doc
-
Size
902KB
-
MD5
14e71bfacad56de6166395c83933c699
-
SHA1
1fa0a4a175052f723870ec09d170c412db0ebf59
-
SHA256
c822c465c2bbdc12ebf0c636ca46191a91b897286bd551c191d2eaca12d82cce
-
SHA512
ef33018a14fe0773b8ca096cbd70d610ba2f45c9d551e00eda5ebcff2a766022b8d37fc3762f0ac0e06e2951719363545234a7ff9fe02bc526838bd474ab69ce
-
SSDEEP
12288:HKd1FY+QjZH+NDfFaeZyvk+qQOsSRxgPOh40jgV/T6YewuaTxZ1:HwQ9H+NDFa2+qQn+Ph5jlmt
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2017-11882.123.32131.4479.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624