Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
4Static
static
3ExtPack-license.html
windows7-x64
1ExtPack-license.html
windows10-2004-x64
1ExtPack-license.rtf
windows7-x64
4ExtPack-license.rtf
windows10-2004-x64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd...eR0.r0
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.amd....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1darwin.arm....dylib
macos-10.15-amd64
1linux.amd6...cam.so
ubuntu-18.04-amd64
1linux.amd6...eR0.r0
ubuntu-18.04-amd64
1linux.amd6...eR3.so
ubuntu-18.04-amd64
1linux.amd6...pto.so
ubuntu-18.04-amd64
1linux.amd6...ain.so
ubuntu-18.04-amd64
1linux.amd6...nVM.so
ubuntu-18.04-amd64
1linux.amd6...rR3.so
ubuntu-18.04-amd64
1linux.amd6...mR3.so
ubuntu-18.04-amd64
1linux.amd6...RDP.so
ubuntu-18.04-amd64
1linux.amd6...ypt.so
ubuntu-18.04-amd64
1Analysis
-
max time kernel
127s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2023, 04:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ExtPack-license.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ExtPack-license.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
ExtPack-license.rtf
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
ExtPack-license.rtf
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
darwin.amd64/VBoxHostWebcam.dylib
Resource
macos-20220504-en
Behavioral task
behavioral6
Sample
darwin.amd64/VBoxNvmeR0.r0
Resource
macos-20220504-en
Behavioral task
behavioral7
Sample
darwin.amd64/VBoxNvmeR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral8
Sample
darwin.amd64/VBoxPuelCrypto.dylib
Resource
macos-20220504-en
Behavioral task
behavioral9
Sample
darwin.amd64/VBoxPuelMain.dylib
Resource
macos-20220504-en
Behavioral task
behavioral10
Sample
darwin.amd64/VBoxPuelMainVM.dylib
Resource
macos-20220504-en
Behavioral task
behavioral11
Sample
darwin.amd64/VBoxUsbCardReaderR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral12
Sample
darwin.amd64/VBoxUsbWebcamR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral13
Sample
darwin.amd64/VBoxVRDP.dylib
Resource
macos-20220504-en
Behavioral task
behavioral14
Sample
darwin.amd64/VDPluginCrypt.dylib
Resource
macos-20220504-en
Behavioral task
behavioral15
Sample
darwin.arm64/VBoxNvmeR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral16
Sample
darwin.arm64/VBoxPuelCrypto.dylib
Resource
macos-20220504-en
Behavioral task
behavioral17
Sample
darwin.arm64/VBoxPuelMain.dylib
Resource
macos-20220504-en
Behavioral task
behavioral18
Sample
darwin.arm64/VBoxPuelMainVM.dylib
Resource
macos-20220504-en
Behavioral task
behavioral19
Sample
darwin.arm64/VBoxUsbCardReaderR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral20
Sample
darwin.arm64/VBoxUsbWebcamR3.dylib
Resource
macos-20220504-en
Behavioral task
behavioral21
Sample
darwin.arm64/VBoxVRDP.dylib
Resource
macos-20220504-en
Behavioral task
behavioral22
Sample
darwin.arm64/VDPluginCrypt.dylib
Resource
macos-20220504-en
Behavioral task
behavioral23
Sample
linux.amd64/VBoxHostWebcam.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral24
Sample
linux.amd64/VBoxNvmeR0.r0
Resource
ubuntu1804-amd64-20221125-en
Behavioral task
behavioral25
Sample
linux.amd64/VBoxNvmeR3.so
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral26
Sample
linux.amd64/VBoxPuelCrypto.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral27
Sample
linux.amd64/VBoxPuelMain.so
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral28
Sample
linux.amd64/VBoxPuelMainVM.so
Resource
ubuntu1804-amd64-20221125-en
Behavioral task
behavioral29
Sample
linux.amd64/VBoxUsbCardReaderR3.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral30
Sample
linux.amd64/VBoxUsbWebcamR3.so
Resource
ubuntu1804-amd64-20221125-en
Behavioral task
behavioral31
Sample
linux.amd64/VBoxVRDP.so
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral32
Sample
linux.amd64/VDPluginCrypt.so
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
ExtPack-license.rtf
-
Size
19KB
-
MD5
1af9462955585fc3eb3af21c08da6b6a
-
SHA1
5b1fb945ef7021bb192b1a508f60aabd525ea1a7
-
SHA256
017549f1245343e96ddddfe1b8c37efea090cef9733bc276335c13b1a71e1c13
-
SHA512
ee6f95ce4abc6058ec3504db5349aa45e2dd9ff130d4d75a2493344723a344186e22c83c2f2249856964a629cbe8cc3896d11b94b92157a6caaba8158bedbabb
-
SSDEEP
192:wJrjv1Mf4g/y4pKnhDJIT0TyPH7cDcpr5wcgd3+EoXG6xoB0yDGpRpP7irYY:whAJ/1pKkITspr5qOoDDGBGp
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5072 WINWORD.EXE 5072 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3056 svchost.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE 5072 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ExtPack-license.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5072
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
-
Remote address:8.8.8.8:53Request164.2.77.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request164.113.223.173.in-addr.arpaIN PTRResponse164.113.223.173.in-addr.arpaIN PTRa173-223-113-164deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request250.108.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request191.88.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request16.42.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.73.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.208.79.178.in-addr.arpaIN PTRResponse1.208.79.178.in-addr.arpaIN PTRhttps-178-79-208-1amsllnwnet
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.38.195.152.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.103.197.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.8.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request99.113.223.173.in-addr.arpaIN PTRResponse99.113.223.173.in-addr.arpaIN PTRa173-223-113-99deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request250.255.255.239.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.202.248.87.in-addr.arpaIN PTRResponse1.202.248.87.in-addr.arpaIN PTRhttps-87-248-202-1amsllnwnet
-
276 B 6
-
208 B 4
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
70 B 144 B 1 1
DNS Request
164.2.77.40.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
164.113.223.173.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
250.108.137.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
191.88.109.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
16.42.107.13.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
26.73.42.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
2.36.159.162.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.208.79.178.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 143 B 1 1
DNS Request
76.38.195.152.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.103.197.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.8.109.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
99.113.223.173.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
74 B 131 B 1 1
DNS Request
250.255.255.239.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.202.248.87.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5fd598abff4f90d5768a2c3cd4b454e59
SHA1f840de286ae351e38d5bb03817239518bbcce840
SHA2565843591794c1708f5d696ebdc9585c9a818866146dd2e6c901fb931657b592ab
SHA5123c5d9f8f5cb7bd53edc5be1cb67c79488cef5d0c24829088f72e9ff13e30ffb4bec408cb2a19076b3fd98035e0306536164bf71d3c5cef2fb4ff39853318f686