Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
MyPigPrincess.exe
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
MyPigPrincess.exe
Resource
win10v2004-20231215-en
General
-
Target
MyPigPrincess.exe
-
Size
269KB
-
MD5
0abede34f4b18049c4dc7bddb9bb0080
-
SHA1
d6bfb7ea85482b345499cefd4e41cd7ce604637c
-
SHA256
1648038fd245e6039979f6488029d56b06520d728a237af9ad471ee9d6189c3e
-
SHA512
a4b172d1b3d9e8e5f3aabb5208066c30c03943b7bebfe3c759fc6c6592eca7273f9cec675bb603f6aeef5ff058a4ea4a34ef9ecd4485caeaeef9eb6d5d61cea3
-
SSDEEP
6144:AnAlOPl7hWKsmMrDZ6UhukTUG3EEXMsWtvV2j9OAq8ecUxILImQG8j:YrlNWKsmMrDZ6UhukTUG3EEXMsWtvV2s
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4696 WINWORD.EXE 4696 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3748 svchost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe"C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe"1⤵PID:1876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD5dd0c1d22223d8d0e4e271a25a6576eb5
SHA124db1209d718bd8eb443da6eec2ee28d39aaecd8
SHA256c5b636a315f8af0aac9068a2517dbb1fe136a77b9baefd12af102e65b28a13e2
SHA512fe7568b22218c10b268c115f2209ffa8282777e354a9ce0980857879c0364f005fb6af69627e95286a8229191d34e97479498986c657c6d4a394e54731653195