Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 09:58
Static task
static1
Behavioral task
behavioral1
Sample
aae401230eba00929f36e9acf101afee527e8830b05fec0aa13834adbc9ef77e.xls
Resource
win7-20220414-en
General
-
Target
aae401230eba00929f36e9acf101afee527e8830b05fec0aa13834adbc9ef77e.xls
-
Size
704KB
-
MD5
787e54350192a8623a1da604e095bd1b
-
SHA1
2a79af33c4f00721a63ff3d8a34ddc2d5d17d06d
-
SHA256
aae401230eba00929f36e9acf101afee527e8830b05fec0aa13834adbc9ef77e
-
SHA512
8082f42e1c76f91706b5158b435ab35103e562b9b3a9c33df481453510000ddc5737fbdf7102da540f2cb3da3e0adea7c1d5881813edd8589709220f421eac0c
Malware Config
Extracted
Signatures
-
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
-
resource yara_rule behavioral2/files/0x0006000000022f12-142.dat upx behavioral2/memory/1452-143-0x0000000059220000-0x00000000592B9000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1452 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{8DEE358F-95D7-48BB-836B-3234A8A8B386}\507925A3.tmp:Zone.Identifier EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1452 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1452 EXCEL.EXE 1452 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1452 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE 1452 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1452 wrote to memory of 724 1452 EXCEL.EXE 88 PID 1452 wrote to memory of 724 1452 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aae401230eba00929f36e9acf101afee527e8830b05fec0aa13834adbc9ef77e.xls"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:724
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD57981bcf1211b696fd0510ee807660772
SHA1a182536ac1476a19b8b2ac3b33ff2d96c887114a
SHA2569dff540081d64c60c0b8299a55aeace8dbe788ac839fa5381960373a0c3e8a95
SHA51219b5b8eace50c76dfd4edc98acb7e39b4aee4e5fe97046150be3ede4f696dc4c40f06a49b100c7c45edf7c1e5b0c3270245b1c0cf2ae63b997794c0d5b88b250