Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2023, 19:21
Behavioral task
behavioral1
Sample
9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls
Resource
win10v2004-20221111-en
General
-
Target
9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls
-
Size
36KB
-
MD5
aece997c7e8b36100f472b096092bc1d
-
SHA1
c341c1ac189a744d0fd3287171ab3e6cabad165f
-
SHA256
9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1
-
SHA512
4a4c204e5570fbdc2a2ecbe5056dec466d83fd7569bd9aceaa762d14e5ad62544a8010ed505177320795f19b6518881eee4d2af2ab0b7a3a46fab466058f5e93
-
SSDEEP
768:lPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJKJGGvEG8nsvHYvtvZBIg:Nok3hbdlylKsgqopeJBWhZFGkE+cL2NS
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1720 4148 explorer.exe 79 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4148 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE 4148 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4148 wrote to memory of 1720 4148 EXCEL.EXE 82 PID 4148 wrote to memory of 1720 4148 EXCEL.EXE 82 PID 3276 wrote to memory of 3628 3276 explorer.exe 84 PID 3276 wrote to memory of 3628 3276 explorer.exe 84
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\nuWf.vbs2⤵
- Process spawned unexpected child process
PID:1720
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\nuWf.vbs"2⤵PID:3628
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564B
MD53def20cc624418ca50afa64d0ce2fb78
SHA18fcfcf573babdb98be8976d1118c7d2ea02c6e1b
SHA256905b98e0d71db495075712d604d227e4258382f7b9f495a338c2f901f051b443
SHA512cd76601f934d063ce3dcb19c769aee48feaabe9a739e4b9143f414a09301750c545cc3896277c099254518979b419a557837999bd827837f410b1eefc8888d2d