Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 21:11
Behavioral task
behavioral1
Sample
e262ee5c5a089def566ce7bd95f71b348cc869f03f12b2603fc3ae58bf94db0e.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e262ee5c5a089def566ce7bd95f71b348cc869f03f12b2603fc3ae58bf94db0e.doc
Resource
win10v2004-20240709-en
General
-
Target
e262ee5c5a089def566ce7bd95f71b348cc869f03f12b2603fc3ae58bf94db0e.doc
-
Size
94KB
-
MD5
8b8eda0810e8bf861cf8895b7e6d6ded
-
SHA1
4f830533bb40377aab8b466dac15f57dda00ac44
-
SHA256
e262ee5c5a089def566ce7bd95f71b348cc869f03f12b2603fc3ae58bf94db0e
-
SHA512
1d40ab1a74db064d747f3ee75d2af0ebf098e8afcba12d33a30d04a71a83fdebc2128ef1ae24a8774e546ac8786580cd60d3efe956044abc576df613b52c6f58
-
SSDEEP
1536:fVSnDol3/UYVLmUoy0AFxwDQ3cB+IfQ5jYq:fVSnDol3/UYVLmUo6oBvfujYq
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1652 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2920 1652 WINWORD.EXE 32 PID 1652 wrote to memory of 2920 1652 WINWORD.EXE 32 PID 1652 wrote to memory of 2920 1652 WINWORD.EXE 32 PID 1652 wrote to memory of 2920 1652 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e262ee5c5a089def566ce7bd95f71b348cc869f03f12b2603fc3ae58bf94db0e.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2920
-