Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
PowerPoint_Soft_new.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
PowerPoint_Soft_new.exe
Resource
win10v2004-20240412-en
General
-
Target
PowerPoint_Soft_new.exe
-
Size
65.6MB
-
MD5
afcc5f484ef62ed4e16950e5befcdc3a
-
SHA1
d04b96ae17157e621b1835c946238ca63a6458a2
-
SHA256
9c13c1623344db34cf9e30c98e572a76eaa5772419c0558f5219c7551054b820
-
SHA512
a57c83ab8fa2257b7eddbf6a275ed466c3945547402f535428b0dcadc217e4022ac652fec3f8c821cc6e5aac8440e9d5db5c6e6c336585b33885ff8d1cd49486
-
SSDEEP
1572864:syOTlnb3zkYUWPHMjEBzQZ6RM1IpLRjzxAGqgZtDhDMGd:aUYUWPacz6wRj9eoSGd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 64 PowerPoint_Soft_new.tmp -
Loads dropped DLL 1 IoCs
pid Process 64 PowerPoint_Soft_new.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3464 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3464 POWERPNT.EXE 3464 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3992 wrote to memory of 64 3992 PowerPoint_Soft_new.exe 88 PID 3992 wrote to memory of 64 3992 PowerPoint_Soft_new.exe 88 PID 3992 wrote to memory of 64 3992 PowerPoint_Soft_new.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe"C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\is-QIR80.tmp\PowerPoint_Soft_new.tmp"C:\Users\Admin\AppData\Local\Temp\is-QIR80.tmp\PowerPoint_Soft_new.tmp" /SL5="$A0182,67751279,943104,C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:64
-
-
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55c993694eae2d266b710c50c7217ba25
SHA118b3a239975558fb64553838f5f1a47194a3b22f
SHA256676aed8190bfdf46ee811987f59c983cc15de72a2bb5e75c1b61604d0957487d
SHA5120a14e0c7c83da28fc0195d36398a7e55074f2e1966aed652d6ac7d7324d1d394888f023dc179e69fe526f58f01eecf02eae57b472e03eee5a520f417012bc9bf
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63