Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
SOTFOV.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
SOTFOV.dll
Resource
win10v2004-20240221-en
General
-
Target
Loader.exe
-
Size
42KB
-
MD5
6ba02ef0dc7a955e7a3bba8459151809
-
SHA1
67ac7f8a1e0dd1a176468c3adab87e605a328ddb
-
SHA256
7e67c9b1e4bbe8d7ece19b0e4a7a626ad95b21903ee8682027444f12b6cd2067
-
SHA512
9935e203875d4c9fee32a0a631bb07bde39ac8e3814efe82c10c755b8461fcf67d98fb6094729ec1857afb81946f9e6d8f0817347a398dad2414caa549e88cec
-
SSDEEP
768:Kv5Xy+Vn+/hEHb1/zE5/Jb6v6p8HBEbtETHvUkM:Gy+R+eHypCmbqr8F
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4588 WINWORD.EXE 4588 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe 3040 Loader.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8