Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2023, 19:29

General

  • Target

    26c90443762f147189330196a7f37a55.xlsb

  • Size

    83KB

  • MD5

    26c90443762f147189330196a7f37a55

  • SHA1

    f7f0e47df27cd6c99096ab9f4baeb1041dfe0c41

  • SHA256

    28e0ffe67dd62f679523af17fd8031d2d92a46577effe12f7027c5c5595f8fc5

  • SHA512

    8ae802e9fb065bf8740f33efd1794b28bb98ba3a9b0d78708fa54a4526f90bfe6f4c9f19d17983807bf74c6df0d5c9a6f6a2a9a6b92db692f741291b129944f2

  • SSDEEP

    1536:kU/wRbzYC/DoH//O4Ai4nk4i5gqbxFRWs1yeq3++K8EmA9Z:kUybzY7nHJ4klFTWKy9++K8E

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious Office macro 2 IoCs

    Office document equipped with 4.0 macros.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\26c90443762f147189330196a7f37a55.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\system32\attrib.exe
        attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        3⤵
        • Views/modifies file attributes
        PID:4664
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:1544
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:4960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls

    Filesize

    85KB

    MD5

    7e035d6dbd6fa293389f3928428a0441

    SHA1

    a724daf65bec09ca1b2c78b460c8777708a2ca2b

    SHA256

    de8727bc093b3e99af7e5062b717ef26fc26cb2504e729d37eed8e5a468421c4

    SHA512

    5ee5b69b32232fb83a59ca018c1e271a93ff7634e9390294f46dd7514d707c7ec3edab68f1f8fff7005f1690169b38836f1a7b629cab9bf7f2fc38de0350580c

  • memory/4716-136-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-137-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

    Filesize

    64KB

  • memory/4716-138-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

    Filesize

    64KB

  • memory/4716-132-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-135-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-134-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-133-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-145-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-146-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-147-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

  • memory/4716-148-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB