Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
132s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14/07/2020, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Goldy_Rosene.xls
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Goldy_Rosene.xls
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Goldy_Rosene.xls
-
Size
524KB
-
MD5
8734774af3e2c5920e7a12ac8f5aac9e
-
SHA1
10229a863500a9a5b34ce917bf34a334baac677c
-
SHA256
de032555e5d7aceffb24e42e90b928e6e36deab19d5d8096644ab51bcb31755c
-
SHA512
1587b73dd32b25640008dbcb06ffd7dac491154502ef8e35ec987f36b754f04017251ad48c053fb6dceab7ee2ee72d059de006b9f9b34d3d2f900a71b6769fc3
Score
8/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE 664 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 664 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 664 wrote to memory of 3840 664 EXCEL.EXE 72 PID 664 wrote to memory of 3840 664 EXCEL.EXE 72 PID 664 wrote to memory of 3840 664 EXCEL.EXE 72 -
Executes dropped EXE 1 IoCs
pid Process 3840 jeTneVi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Goldy_Rosene.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:664 -
C:\scbPBcy\LZHYKOo\jeTneVi.exe"C:\scbPBcy\LZHYKOo\jeTneVi.exe"2⤵
- Executes dropped EXE
PID:3840
-