Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14/07/2020, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
14e5fd44d43f96426d7499e41626560e.xls
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
14e5fd44d43f96426d7499e41626560e.xls
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
14e5fd44d43f96426d7499e41626560e.xls
-
Size
515KB
-
MD5
14e5fd44d43f96426d7499e41626560e
-
SHA1
53c22aeecd280d71ff69d91ddaf967c36e449db9
-
SHA256
df28f2ba0fd1e2a5acee743c36a04155abfb0229c743b180cb39403ded922772
-
SHA512
41a060ecba5406e0dcef629c444016462f1f5d21e44fee462ef6c81ce014f34396293da6584863c6f801dd5f9e8db5420b96af0c3728cd0055905ddcc47f16c1
Score
8/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE 3136 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3136 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2124 3136 EXCEL.EXE 69 PID 3136 wrote to memory of 2124 3136 EXCEL.EXE 69 PID 3136 wrote to memory of 2124 3136 EXCEL.EXE 69 -
Executes dropped EXE 1 IoCs
pid Process 2124 jeTneVi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14e5fd44d43f96426d7499e41626560e.xls"1⤵
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\scbPBcy\LZHYKOo\jeTneVi.exe"C:\scbPBcy\LZHYKOo\jeTneVi.exe"2⤵
- Executes dropped EXE
PID:2124
-