Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
6i9220 ROOT...pi.dll
windows7-x64
3i9220 ROOT...pi.dll
windows10-2004-x64
3i9220 ROOT...pi.dll
windows7-x64
1i9220 ROOT...pi.dll
windows10-2004-x64
3i9220 ROOT...er.apk
i9220 ROOT...er.apk
android-10-x64
i9220 ROOT...er.apk
android-11-x64
i9220 ROOT...db.exe
windows7-x64
1i9220 ROOT...db.exe
windows10-2004-x64
1i9220 ROOT...usybox
debian-9-armhf
1i9220 ROOT/files/su
debian-9-armhf
i9220 ROOT...rgRush
debian-9-armhf
i9220 ROOT/runme.bat
windows7-x64
1i9220 ROOT/runme.bat
windows10-2004-x64
1i9220 ROOT...ot.doc
windows7-x64
1i9220 ROOT...ot.doc
windows10-2004-x64
1Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
i9220 ROOT/files/AdbWinApi.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
i9220 ROOT/files/AdbWinApi.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
i9220 ROOT/files/AdbWinUsbApi.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
i9220 ROOT/files/AdbWinUsbApi.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
i9220 ROOT/files/Superuser.apk
Behavioral task
behavioral6
Sample
i9220 ROOT/files/Superuser.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral7
Sample
i9220 ROOT/files/Superuser.apk
Resource
android-x64-arm64-20231215-en
Behavioral task
behavioral8
Sample
i9220 ROOT/files/adb.exe
Resource
win7-20231215-en
Behavioral task
behavioral9
Sample
i9220 ROOT/files/adb.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral10
Sample
i9220 ROOT/files/busybox
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral11
Sample
i9220 ROOT/files/su
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral12
Sample
i9220 ROOT/files/zergRush
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral13
Sample
i9220 ROOT/runme.bat
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
i9220 ROOT/runme.bat
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
i9220 ROOT/~$220真正完美root.doc
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
i9220 ROOT/~$220真正完美root.doc
Resource
win10v2004-20231215-en
General
-
Target
i9220 ROOT/~$220真正完美root.doc
-
Size
162B
-
MD5
8c1aab7a733ae8afa22f38fda6e23e16
-
SHA1
7dc19a89a05ad7b191c21c6df38264667397d649
-
SHA256
997dc32a52bbf6b168751d82298a299bba0a8a1dbd18a11aaded8da981e07d2a
-
SHA512
82d827b60b728cc745f0f08fe813c677114a1e93100417c2f159fae9b27a266e62af123b87a6d1f15d256c0195238c80cdb2d796b889c4715020fe188cf0f4e5
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4468 WINWORD.EXE 4468 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE 4468 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\i9220 ROOT\~$220真正完美root.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4468