Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2023, 19:21
Behavioral task
behavioral1
Sample
dd4e8e0fd585c1811d0c6a28405310bc0d5128080a618ee5558debcb79b87a47.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dd4e8e0fd585c1811d0c6a28405310bc0d5128080a618ee5558debcb79b87a47.xls
Resource
win10v2004-20220812-en
General
-
Target
dd4e8e0fd585c1811d0c6a28405310bc0d5128080a618ee5558debcb79b87a47.xls
-
Size
36KB
-
MD5
8012d8e92997788ba4d64c50e907a8de
-
SHA1
8ce95bc91bc7deebd53c8d20cfff4c801ce654eb
-
SHA256
dd4e8e0fd585c1811d0c6a28405310bc0d5128080a618ee5558debcb79b87a47
-
SHA512
141c7341416a97f49763609d24554dd270574621e62fba97aaf9df0306fe4e6d35725f7ecf0ba29273213a6c418507b22dbf9184db8e54f92f02fb6d658e06af
-
SSDEEP
768:VPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJq0Yrw65bESS:dok3hbdlylKsgqopeJBWhZFGkE+cL2Ne
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2168 4304 explorer.exe 81 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4304 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE 4304 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4304 wrote to memory of 2168 4304 EXCEL.EXE 84 PID 4304 wrote to memory of 2168 4304 EXCEL.EXE 84 PID 2660 wrote to memory of 1308 2660 explorer.exe 86 PID 2660 wrote to memory of 1308 2660 explorer.exe 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dd4e8e0fd585c1811d0c6a28405310bc0d5128080a618ee5558debcb79b87a47.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\hrsSZO9.vbs2⤵
- Process spawned unexpected child process
PID:2168
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\hrsSZO9.vbs"2⤵PID:1308
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534B
MD5c4dd4930afc21dd1b17bad504c484c59
SHA1bae6e409a96a4687dc568a55b6b531ee80ac4562
SHA25651f2a70447259d678e2215db26a759d7cdc81dc847ca6ac7bf3a921c75311462
SHA5125c752b03efe0c71208bc223be442d9aca289d7da7639d3c35e784ef274714a2eecc05ec78d51f38f88ab1179819ea5674e5456198aed5cb15c1ee38b021230f9