Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
Payment Error.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment Error.rtf
Resource
win10v2004-20241007-en
General
-
Target
Payment Error.rtf
-
Size
617KB
-
MD5
8b38fd5f962b524af2dbfdcd6e21d9b6
-
SHA1
aec9993e2216c9478eae142c6b24d31e46882aa1
-
SHA256
dd9e1fe309fae0cc8dee8d6909a404cd25c151fa817d2fc8a620608fa65c7a63
-
SHA512
43620a278a217dec4afc1057934e4dc5b6f675d8f0bbb404d84a894ee3bcd3083888c83457bea5fd70b7960d6ac8bb55ad6209aa3216819343ad8917be15589f
-
SSDEEP
6144:rwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAh:F
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5048 WINWORD.EXE 5048 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE 5048 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Error.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56e2b52bfb8fe0c97719987c163f8fa6f
SHA17b9381cd820ddd34c6537ead3093443d06ace745
SHA2565e6be0921d1c82ec58a7aea9969f0d54ec2abc1b5fa143fea1f9ae8a4552c387
SHA51254523c3a937a6c2c3b1e3ecd4476b8082c73d7c7b55e1f924fcb71da02c855a53795037a0e626c64d9fa5f13476d3e1b5ae4baa9ce896f3877c60a25d4dfa40b