Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
ec6aeeafb59a287ec5a9a4dfd878ce142e2185e17fc33a9811bf67efb21d183d.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ec6aeeafb59a287ec5a9a4dfd878ce142e2185e17fc33a9811bf67efb21d183d.doc
Resource
win10v2004-20220812-en
General
-
Target
ec6aeeafb59a287ec5a9a4dfd878ce142e2185e17fc33a9811bf67efb21d183d.doc
-
Size
38KB
-
MD5
3f9b19b3687b173bf3bb4d4a22eafecf
-
SHA1
0fc6aa08b16fb03efe93ccb82f6024c20eb456b1
-
SHA256
ec6aeeafb59a287ec5a9a4dfd878ce142e2185e17fc33a9811bf67efb21d183d
-
SHA512
e39a52ae42591196f3143d26256d3cee332f43e75968344c76cabb2817ee8b0f763915eb8e19ee39409d6e3df443c57abfee1a70d7c271e1f4d764329cfb9516
-
SSDEEP
384:4RNGnPBG+ipNfCjIMxpiSZfI/PKRitHLmQBcrPcrnodYZc5Gh6:sGPBhipNfCjIMzAPo6HqQRcAh
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4972 WINWORD.EXE 4972 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ec6aeeafb59a287ec5a9a4dfd878ce142e2185e17fc33a9811bf67efb21d183d.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4972