Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/10/2024, 21:50
Behavioral task
behavioral1
Sample
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win11-20241007-en
General
-
Target
out.exe
-
Size
39KB
-
MD5
85e4511f910b63059ba130326282b036
-
SHA1
91fe06c4f738d975796678ae2b5b8a60bb886911
-
SHA256
5faf8ce493c19021311b3a35ae908d69ddbe4e0d500f672110e45e641a5df816
-
SHA512
147546086ebb8ad986554fd289d127aa6e07a690d4ac69cbe1b5da4893b24fdfdf2f4c0422f36903b6ac77e7722eb1c61e21bda5b8f56027a12a6a1d4abe8b0a
-
SSDEEP
768:Mq9m/ZsybSg2ts4L3RLc/qjhsKmMJ0UtH:Mqk/Zdic/qjh8MJDH
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 5552 5160 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language out.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4052 WINWORD.EXE 4052 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\out.exe"C:\Users\Admin\AppData\Local\Temp\out.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 2362⤵
- Program crash
PID:5552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5160 -ip 51601⤵PID:5432
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StopUnpublish.dotm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4052