Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01/07/2022, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls
Resource
win10v2004-20220414-en
General
-
Target
3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls
-
Size
283KB
-
MD5
d1500ecd912ea4816ce4ed184fb85b4d
-
SHA1
315b127de2bde334324a30d608545b05bf35c7fb
-
SHA256
3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51
-
SHA512
1e89e106ea8754d1c3f806823110526ad56341c0a383a4877e38f2af2ed0fab84f6c3d4a6947e0e38baff852cb7b5c82733b34f0da3d79a50f8e6a10f87efd77
Malware Config
Signatures
-
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
-
Loads dropped DLL 1 IoCs
pid Process 2544 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{C77B37FA-AD26-4D29-A1BE-28F47F27CEC1}\119D4556.png:Zone.Identifier EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2544 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2544 EXCEL.EXE 2544 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2544 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE 2544 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2544 wrote to memory of 4248 2544 EXCEL.EXE 83 PID 2544 wrote to memory of 4248 2544 EXCEL.EXE 83
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4248
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\52d7ca5274094544a9a85ba2d5b7a6db /t 2716 /p 25441⤵PID:1148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD569834911d8b55b4c246c250b3a180969
SHA1de78318e6cd0daf33d66f83bec34e6caad10e317
SHA2565ccfede2af0fd43d36d2d8f48787dc93d80dfb6e9655af367d406dc01994442e
SHA5127ab55f30d09df2b2e3e3bd03bd9b84bfcaadfe2502f849d521be1f2ee227baf658094da662f07a6f3db7422043cd493a4e9826b5cdc2fd86410137b8e98abcd1