Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 21:01
Behavioral task
behavioral1
Sample
890f282de6fdbce7ec9078cbc6f18558564349d6c1d6b11adce754c2f395d319.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
890f282de6fdbce7ec9078cbc6f18558564349d6c1d6b11adce754c2f395d319.doc
Resource
win10v2004-20241007-en
General
-
Target
890f282de6fdbce7ec9078cbc6f18558564349d6c1d6b11adce754c2f395d319.doc
-
Size
53KB
-
MD5
ca6930bbce3afe5de592e8dd91ec6a12
-
SHA1
e36b725d9689b9bc73a25241c5a1e5dc3b51e26d
-
SHA256
890f282de6fdbce7ec9078cbc6f18558564349d6c1d6b11adce754c2f395d319
-
SHA512
fc69dbf2d3307ed35bfca2dec0c0f3034ab7a0a80d0d259fb5d421eedb131788654b8ead4ec1adacb2c8190206f2691b4b734f6d3d9caaf600f1002478ede3ea
-
SSDEEP
384:cvTB5ZNaJ35ZxzGtzbPK+0w5C2iSwvxjk+tq+yNXNwOv5h50jbcctLC3FeFa:ybZkZxzGtzC1Zxw+tDY5P3FeFa
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
192.168.8.78:1234
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 1 IoCs
pid Process 2836 zIBtHKBZBjzpuB.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zIBtHKBZBjzpuB.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 828 WINWORD.EXE 828 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE 828 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 828 wrote to memory of 2836 828 WINWORD.EXE 86 PID 828 wrote to memory of 2836 828 WINWORD.EXE 86 PID 828 wrote to memory of 2836 828 WINWORD.EXE 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\890f282de6fdbce7ec9078cbc6f18558564349d6c1d6b11adce754c2f395d319.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\zIBtHKBZBjzpuB.exeC:\Users\Admin\zIBtHKBZBjzpuB.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD52239be1443d4707bbf686dad402d4ff0
SHA1e684f3c8d0b1dc80d3d020010a96071c2f404dab
SHA2561d335b24a8bbca067d97b851a4a0120908948bf764ca3465073867701eb9bbb0
SHA512442383293609d8a8ea02d99451ab429be620ed323a61d6b1d9abd98d558333fd9b57a0dca46316885f9de711849586a2aa4ef069673cc84de1d030da50507458
-
Filesize
4KB
MD5bc7923d48cc047e8bdb07f6157ff854b
SHA1d4647d573a36e8a3c586fcfee497938286bf80e8
SHA2560c839387785ece9584e8e65694b64686b5d615a68928712736ac3bb597ae50dd
SHA512cf153ef7c78ac71aced0fc16e00973466cd1d47cdf8a9541bfe0b9171080206a8754c2014c116a70e7c478b3dafe06e272f1a6a46d3897cc6796a34a05d4e398