Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

27b54fa686...21.xls

windows7-x64

10

27b54fa686...21.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27b54fa6862199542bbefe006e71e19800a94f910526398d65569beb964e8321.xls

  • Size

    296KB

  • MD5

    624b4f02ab405c43cd1999e855d1b278

  • SHA1

    f19cd9841cb2aba1ad3d2d7296d3df8e7dcd61b9

  • SHA256

    27b54fa6862199542bbefe006e71e19800a94f910526398d65569beb964e8321

  • SHA512

    0dad2bc36ced261c7b996683b7cebcc3eef03418f5a7fe5beedf928dbc1191a8f834c7f927e1afbf74ddbd0d559f845825bd6b2a7b3e5b0b2d6587a00d066345

  • SSDEEP

    6144:R5JoU5+acqID6rUkCqVwFPJPvDlCdMAZrByCGk8pBK9eCw4/:qU51+VsyFPJJCSW10JC1/

Score
10/10
evasionmacromacro_on_actionpersistencexlm

Malware Config

Signatures

  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\27b54fa6862199542bbefe006e71e19800a94f910526398d65569beb964e8321.xls
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c attrib -s -h c:\setflag.exe
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h c:\setflag.exe
          3⤵
          • Views/modifies file attributes
          PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c attrib -s -h c:\sendto.exe
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h c:\sendto.exe
          3⤵
          • Views/modifies file attributes
          PID:872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c extrac32 /E /Y /L c:\ c:\cab.cab
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /E /Y /L c:\ c:\cab.cab
          3⤵
            PID:752
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c extract /E /Y /L c:\ c:\cab.cab
          2⤵
          • Process spawned unexpected child process
          PID:1116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c attrib +s +h c:\setflag.exe
          2⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h c:\setflag.exe
            3⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c attrib +s +h c:\sendto.exe
          2⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h c:\sendto.exe
            3⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:552
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1612

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\sendto.exe
        Filesize

        20KB

        MD5

        56bafcef305ce46d847421edd6eec04b

        SHA1

        e6e31dda260fee10b63c4dd297b433749ea7ac07

        SHA256

        3c6d90fdf13ef66dd36631796cd50db01dfb8e2db5b472c45202513ab816f272

        SHA512

        c78210f40daa6e2827d1280eaca5ae22cf036d20ff802826171cfdaf2b64a011f32c8689eec174d3375e197b240e4c92a2fb466b01c66a96e9276cd1de160e20

        Download Submit

      • C:\setflag.exe
        Filesize

        32KB

        MD5

        a4f9be8517afb4c5d9c63960a5faf258

        SHA1

        6d3300bfc43b191819f687df91bfbe2c6294d6bb

        SHA256

        78b6db289832df709d17fd5c49359ddfb9cacaa8303cd77290427bac4c829ba2

        SHA512

        c6c918bc91ed645553245cc640ed66882af264035732b8a8c2682f14a9c8f183c38837c1b3e62ca7d16e1560e6bc2a4273b41c9614a046752928c9a0c45ecb2e

        Download Submit

      • \??\c:\cab.cab
        Filesize

        70KB

        MD5

        5a876443f36ca54efae1c723041435c0

        SHA1

        7ebd6188c3df725008209b7d24f914b2b3ce0a6c

        SHA256

        02397a86f99f98f212adee047d25c56fa6644a3cf6058ddb0da0221d708f1ee9

        SHA512

        a065a1ed747b8348c49c909e7186da584a3f01bca4652b154d5f7f88c4de15c5f0c03884db5cf33bca9035944cf5c7bc6983571301dd0fa4d7c298942887a149

        Download Submit

      • \??\c:\internet.exe
        Filesize

        24KB

        MD5

        072ca9f791665febeacda1be1e71a124

        SHA1

        20d6d75ef7e06c72b43a2e3be81f5ceab11a1a5a

        SHA256

        692bfa3ca595a0ed57dd1d5fa6652332162c90ea0c9b8c9b32ddbebbec063f3d

        SHA512

        3cd1c0727085dcc054b1c9111c934fef3473d57a91e1e247418a220e35c59e495282740621d6c9c01c86a39ad4e5c79d7d95dbd289e25f044cfad1f616d52290

        Download Submit

      • \??\c:\norma1.xlm
        Filesize

        68KB

        MD5

        3f08a7010fe4ea32b210b7919448ada6

        SHA1

        c7bc3bb8f78ef217b83c593542b5c4cf602746a2

        SHA256

        506260a97f723ce79e3243b651dc8af1c3fcdbf72431be60b1a0afbab8d2dce9

        SHA512

        be8ac3dcb6574e6876c2f8d2e40c1c6ad75ca611275ccc73c7283f6b17f3956c16c14d9dfa10e36576011baa691378a8ce6115e380b821a2d6f549ea46567b4c

        Download Submit

      • \??\c:\normal.dot
        Filesize

        103KB

        MD5

        26ab77fe4d542805e0afdc9d0efc92c2

        SHA1

        332dc776b13e8f04809a312183ef9532ea2b18d3

        SHA256

        1cb2d969e56664ddc1f496c63e424cbe1ce2f560f8350f4ffa451f0fc03006d9

        SHA512

        ef439dbbe390eb175bd9970d76827a6b506b88a4db7cda233d8b6591b22e3c7a454cbb8111ca78dbbd6b195c91aa89c7d0c9df952052d3471eb07ac80f98b89a

        Download Submit

      • memory/280-61-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1404-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1404-58-0x000000007212D000-0x0000000072138000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1404-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1404-59-0x000000007212D000-0x0000000072138000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1404-54-0x000000002FC71000-0x000000002FC74000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1404-55-0x0000000071141000-0x0000000071143000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1612-71-0x000000006B1E1000-0x000000006B1E4000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1612-75-0x000000007212D000-0x0000000072138000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1612-84-0x000000007212D000-0x0000000072138000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1612-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download