Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2024, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
9c440ce5374b11c0a21cc567d9f68c0594366e286675f23ef535542708bf5053.docm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9c440ce5374b11c0a21cc567d9f68c0594366e286675f23ef535542708bf5053.docm
Resource
win10v2004-20241007-en
General
-
Target
9c440ce5374b11c0a21cc567d9f68c0594366e286675f23ef535542708bf5053.docm
-
Size
83KB
-
MD5
8b953a6aa2ac81a5d0a81d229efbab74
-
SHA1
b1d969d29ad7242d673daef8d7999358d8f4eca5
-
SHA256
9c440ce5374b11c0a21cc567d9f68c0594366e286675f23ef535542708bf5053
-
SHA512
03b14aadb90c84a4aa0363e00dbee55b40b8b5bf1efc54228a6db50dd668794951488ae8721e68f43bdb001b3e95dc4b41115bf51a3509907b91d4c0d7318e50
-
SSDEEP
1536:cn+WqQuctgd8mz1RSOWMrqYrF8CqY6kbBQIGg1e05rx/tssTmzgigOXClG:A+X8YFH3rqYRRqJkAulasacJOCU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1772 radC803D.tmp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language radC803D.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 8 WINWORD.EXE 8 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 8 wrote to memory of 1772 8 WINWORD.EXE 85 PID 8 wrote to memory of 1772 8 WINWORD.EXE 85 PID 8 wrote to memory of 1772 8 WINWORD.EXE 85
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9c440ce5374b11c0a21cc567d9f68c0594366e286675f23ef535542708bf5053.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\radC803D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\radC803D.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
72KB
MD5b6eb8bfee4062a227191308af8bd4bf6
SHA1782435960c00ede2637f60bcf85a77ca4c728791
SHA2563e42d40db43cf43e200377e0778d9f715cf2bbc4414013b4bd020586fb5bb731
SHA512731461d7e853bd5b8b7a13986fe15d92ccf5d07b8b3a03d5c67f0fd03e90f2ada99741598385b0f06b8fc3f005d3026b5ecc647ad4dfce426eb08314cc37a3c3
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD56bebbe93566c2778ae11e29ea1512464
SHA1753b2c7128388f30a1af26a753604f7322c5f1c6
SHA256451287b859b8035fa992f7dbdfd240300ae53012b4887f315f6f584ab72b91b1
SHA51205c67a5e7f8a6f115bac1aa9b0c51b5b2620e7feddef610e6d52d50bf89b44badc1f648f5be4467f053b278efde968e3b0b23b31276252024660cf81695bbff3