Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/09/2022, 17:25
220909-vzhceagfh4 109/09/2022, 15:18
220909-spykjaccbr 1009/09/2022, 15:08
220909-sh2zdaccaq 109/09/2022, 15:04
220909-sfpw2agde2 1Analysis
-
max time kernel
99s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2022, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
fastemailsystems.document.09.09.22.xlsm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fastemailsystems.document.09.09.22.xlsm
Resource
win10v2004-20220812-en
General
-
Target
fastemailsystems.document.09.09.22.xlsm
-
Size
3.3MB
-
MD5
c31319d66a1caab0aea47c65ab2b0897
-
SHA1
b0b3711aac3683ca6bc8975f0686987a833cbc3c
-
SHA256
3e8b5d4ac62a25e6c08b99954ee66559a8b758a4a05d5cd8a2a1151bbd80016a
-
SHA512
5e418ffa4790be551e0f228ff6e0f23fcd2b0861d26e61299168aefa70fe9598563d1c1222ff85362fdaffd81efb576b9f67e376a32c57d0ccaa3fbe05046994
-
SSDEEP
98304:Y0cMQv/hDAEl7Xtpny6H41l+/Xd8NyU9QgfW:Y//VAa7dpny+41l+vdoyf
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4992 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4992 wrote to memory of 1880 4992 EXCEL.EXE 87 PID 4992 wrote to memory of 1880 4992 EXCEL.EXE 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fastemailsystems.document.09.09.22.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1880
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2196