Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 05:08
Behavioral task
behavioral1
Sample
96531aa92fea384f3764c32979dd04ac.doc
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
96531aa92fea384f3764c32979dd04ac.doc
Resource
win10v2004-20231222-en
General
-
Target
96531aa92fea384f3764c32979dd04ac.doc
-
Size
41KB
-
MD5
96531aa92fea384f3764c32979dd04ac
-
SHA1
b74714618cbcbd5832d5924c76a3743c57ac57f9
-
SHA256
f839a54f9b34610b91a1228de033fee3b510bcb35684c692acdfb8f9399a9b53
-
SHA512
478357c39bd29d802b3fa0e15c0d0c3fce0f5d04aee6d3147cd97380c18666d5c4187b8335a473d4a2cbd86499b62df260314179a06bc7dd816c1210d81fe8d6
-
SSDEEP
384:lcxbjuWOm2EuCqzRsvGuX2yD2DLns56FVNeE5O/SBVHXaaw0xAtFGBH:lcxbjHOmz4zR42vsQRcK2f0xK4H
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4844 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\96531aa92fea384f3764c32979dd04ac.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55a9583a46298dab96c11d14020f68454
SHA13708a58a12b637e2236f48a4bd170670ad120fa6
SHA25666573ff2d4a95363bae5ea05cdd51859275fb842c81a281e2844799113c18bc9
SHA512562e3896f208e159482dad3dfa1b5da58e6b0498ab7e2f91e5d2febe560ac8074798c05f323a8b550affbd0e700fbb41d95724ec6899c08257ccdf4da487118a
-
Filesize
46KB
MD5386bf9949f0e6f61baef1045bb15b5b9
SHA19803d4883af87d3034deca2fc9f73b247412d28e
SHA256ffbd3d3bfb5b6454284783f155d235aa5e96113e73704f85da33dcfeba22f9ef
SHA512ee3299247358602e6a87e3432ca8a7f6e1ea08a0c9d5cea25721bb4d6196d3924430c369ec62b892d21ab9ba6a69a0d8e75c15e1eacc333bfb29d478e5840ac9
-
Filesize
31KB
MD5afa34f02ffba2cc3cad57004ed7c9040
SHA1f8ac81657b3223a93ff8f3f0acec63170fae0dcf
SHA2561043be6db31776ada58de6d14a27cfc79b980f30af1e801b3ea252e12862907a
SHA5122fe8335f5972189689360fd11b9f371cbf8f090324a8db13549a377d445ccc48dce4c7b96b615e3f6d9b368885457cc0aa60854d3e4a0441030c757f531c4cc2