Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
0651024634a991ed5d6b50753cdea5ce.pps
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0651024634a991ed5d6b50753cdea5ce.pps
Resource
win10v2004-20231215-en
General
-
Target
0651024634a991ed5d6b50753cdea5ce.pps
-
Size
201KB
-
MD5
0651024634a991ed5d6b50753cdea5ce
-
SHA1
344315f5b0a5fcc2a930dd89ff9115a20f7f3360
-
SHA256
63eaf8c898eb1ad63510f2b25e2ef4f7e748f5faae5a164fd5112efaa7b50a0d
-
SHA512
1616ac7f21cab3d541b5ade46156249ad2a962930a11c5860ba869ceb469671188deb50274bb036846d1fd254296278d94c808d88ec484d1e7d15b2ecfc96e96
-
SSDEEP
6144:KiN4cam97+bnI6je37x/2xMH2DKTYZ2mMVpzM/lkp:KHcT8Ip37x/2xMH2DKTYZ2mMVpz2kp
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3512 1380 Wordconv.exe 51 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1380 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1380 POWERPNT.EXE 1380 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1380 wrote to memory of 3512 1380 POWERPNT.EXE 108 PID 1380 wrote to memory of 3512 1380 POWERPNT.EXE 108
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\0651024634a991ed5d6b50753cdea5ce.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files\Microsoft Office\Root\Office16\Wordconv.exe"C:\Program Files\Microsoft Office\Root\Office16\Wordconv.exe" -Embedding2⤵
- Process spawned unexpected child process
PID:3512
-
-
C:\Program Files\Microsoft Office\Root\Office16\Wordconv.exe"C:\Program Files\Microsoft Office\Root\Office16\Wordconv.exe" -Embedding1⤵PID:4888