Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    206s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 19:21

General

  • Target

    9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls

  • Size

    36KB

  • MD5

    aece997c7e8b36100f472b096092bc1d

  • SHA1

    c341c1ac189a744d0fd3287171ab3e6cabad165f

  • SHA256

    9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1

  • SHA512

    4a4c204e5570fbdc2a2ecbe5056dec466d83fd7569bd9aceaa762d14e5ad62544a8010ed505177320795f19b6518881eee4d2af2ab0b7a3a46fab466058f5e93

  • SSDEEP

    768:lPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJKJGGvEG8nsvHYvtvZBIg:Nok3hbdlylKsgqopeJBWhZFGkE+cL2NS

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9658b06d492b72734f6955e02ae53ce581d83e83e63c2ee5d3bcf04bb40725e1.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\nuWf.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1720
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\nuWf.vbs"
      2⤵
        PID:3628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\nuWf.vbs

      Filesize

      564B

      MD5

      3def20cc624418ca50afa64d0ce2fb78

      SHA1

      8fcfcf573babdb98be8976d1118c7d2ea02c6e1b

      SHA256

      905b98e0d71db495075712d604d227e4258382f7b9f495a338c2f901f051b443

      SHA512

      cd76601f934d063ce3dcb19c769aee48feaabe9a739e4b9143f414a09301750c545cc3896277c099254518979b419a557837999bd827837f410b1eefc8888d2d

    • memory/4148-132-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

    • memory/4148-133-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

    • memory/4148-134-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

    • memory/4148-135-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

    • memory/4148-136-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

    • memory/4148-137-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

      Filesize

      64KB

    • memory/4148-138-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

      Filesize

      64KB