Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
53D7A7E5774BC299D1D70B8764750F34FAA344344B80A7B05DB220D2E02796ED.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
53D7A7E5774BC299D1D70B8764750F34FAA344344B80A7B05DB220D2E02796ED.rtf
Resource
win10v2004-20220812-en
General
-
Target
53D7A7E5774BC299D1D70B8764750F34FAA344344B80A7B05DB220D2E02796ED.rtf
-
Size
84KB
-
MD5
214a5018ca69057d61ee15f5ca7b3114
-
SHA1
950e0046e744400d96ef7761358e85eb6c6fed17
-
SHA256
53d7a7e5774bc299d1d70b8764750f34faa344344b80a7b05db220d2e02796ed
-
SHA512
b66a5589a20f25c72a8ee55079e7b6af012c0a3bafd9732978109ea26201aa450edbdb914006e66e78537c1171c8ba5386c4d80f701102832072f29b228999a3
-
SSDEEP
768:KFx0XaIsnPRIa4fwJMxXKMhxJ6mqVptc6O/n:Kf0Xvx3EMImxr+4n
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4984 WINWORD.EXE 4984 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\53D7A7E5774BC299D1D70B8764750F34FAA344344B80A7B05DB220D2E02796ED.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4984