Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 21:06
Behavioral task
behavioral1
Sample
248666f8c95c0bf9ed9895b59d7f50af173103dc817f17c1f15857906235d7a5.doc
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
248666f8c95c0bf9ed9895b59d7f50af173103dc817f17c1f15857906235d7a5.doc
Resource
win10v2004-20240802-en
General
-
Target
248666f8c95c0bf9ed9895b59d7f50af173103dc817f17c1f15857906235d7a5.doc
-
Size
42KB
-
MD5
111b578c044bbc3bb44acbd29f858dcc
-
SHA1
04e858619319263b758b27a63365b76de3e9f190
-
SHA256
248666f8c95c0bf9ed9895b59d7f50af173103dc817f17c1f15857906235d7a5
-
SHA512
946e49228118ac0cfef1043c8f60f766c1f34090b79ea8a1fb643c010e3e4b54d04d7755ece9cf4ba91c7d56f4c9a262ff347066a958fdc66e86c0b518a318be
-
SSDEEP
384:YE8iSwvxjk+t2hGtXrZz1F/7E5Ncz9V8RlpvQeGDWxxDEC9YrQh0:Yqxw+twMl1F/7E4z9V8RlpvQeGDWDFw
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\248666f8c95c0bf9ed9895b59d7f50af173103dc817f17c1f15857906235d7a5.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD59491cef6ad0d19c96a17d6072b09e597
SHA1b81f21c24bb9a586994f85d5d72109f67377365b
SHA256f91022bf081d8c4f80ab05a74b7b5a2208d80f36cf80eef20e66b9c208028828
SHA512d13e48ee05ec97e53e50a7e12c679cd311f0aae450631313266ee87ef7b7664678bccf0afc108528e05007cc7dd11ec95768e0ebbe11be38111b0086ea924fb2