Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01/07/2022, 07:07

General

  • Target

    3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls

  • Size

    283KB

  • MD5

    d1500ecd912ea4816ce4ed184fb85b4d

  • SHA1

    315b127de2bde334324a30d608545b05bf35c7fb

  • SHA256

    3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51

  • SHA512

    1e89e106ea8754d1c3f806823110526ad56341c0a383a4877e38f2af2ed0fab84f6c3d4a6947e0e38baff852cb7b5c82733b34f0da3d79a50f8e6a10f87efd77

Score
10/10

Malware Config

Signatures

  • TA505

    Cybercrime group active since 2015, responsible for families like Dridex and Locky.

  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3d68985e9c33958b324d57f35169b871a1c58491697057d6ed4c474a57a41c51.xls"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4248
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\52d7ca5274094544a9a85ba2d5b7a6db /t 2716 /p 2544
      1⤵
        PID:1148

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\masterbox2.dll

        Filesize

        64KB

        MD5

        69834911d8b55b4c246c250b3a180969

        SHA1

        de78318e6cd0daf33d66f83bec34e6caad10e317

        SHA256

        5ccfede2af0fd43d36d2d8f48787dc93d80dfb6e9655af367d406dc01994442e

        SHA512

        7ab55f30d09df2b2e3e3bd03bd9b84bfcaadfe2502f849d521be1f2ee227baf658094da662f07a6f3db7422043cd493a4e9826b5cdc2fd86410137b8e98abcd1

      • memory/2544-131-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

        Filesize

        64KB

      • memory/2544-132-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

        Filesize

        64KB

      • memory/2544-133-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

        Filesize

        64KB

      • memory/2544-134-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

        Filesize

        64KB

      • memory/2544-135-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

        Filesize

        64KB

      • memory/2544-136-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp

        Filesize

        64KB

      • memory/2544-137-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp

        Filesize

        64KB

      • memory/2544-138-0x000001FA4B980000-0x000001FA4B984000-memory.dmp

        Filesize

        16KB

      • memory/2544-141-0x000001FA415B0000-0x000001FA415B3000-memory.dmp

        Filesize

        12KB

      • memory/2544-142-0x000000005B900000-0x000000005B91C000-memory.dmp

        Filesize

        112KB