Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    166s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2023, 11:21

General

  • Target

    7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls

  • Size

    1.2MB

  • MD5

    51699d255aeee8da123a9dd4b3650338

  • SHA1

    f80d11c1aeed14ac99e61a7deaa8d80cdac1ee81

  • SHA256

    7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d

  • SHA512

    b72b7724e1f09d7a6f62932506c4f6e7f4373e1838f780521b9e6cab610ea44f921b7a0454a445288e77d29d06fba050ed2a8a3e01bc52f31eaa36ba86cd929d

  • SSDEEP

    24576:ELKaBztHlx4WQmmav30xvBBatHlxAWQmmav30x26FMdG0EoL9J5tN:ELKaj7NQmmQ30RPg7VQmmQ30M610Nv

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\546F46D3.emf

    Filesize

    577KB

    MD5

    63a79c946db053ba5ebd7a22a4d41ca1

    SHA1

    8f33ef886f216c6ce02b681a85e18eea17eff5b3

    SHA256

    10f7a89bdb70db4cf87e11165c650125d76de074a57863a0d80d23418aa918a7

    SHA512

    4d77b34d8b2ad0148469a205b340b148d296c5fbb6a8656915fce2a41e1ac88295e6ebe54a870722fe4878d894252e3605c9acf6e27917e6b8eea9158daa0184

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8A79AAB8.emf

    Filesize

    34KB

    MD5

    3cdce970854925d23c15d611898b7ae6

    SHA1

    ef68a421937ead8a658f93f7ce125373f22da9d4

    SHA256

    94bf70898eec2366e256fc763a8c8981c71f7e1cef9c18307d74ee86b2df6940

    SHA512

    438f3383b81c779e455b3b720096fe84156370d66a4425d3cbcc7818c2354c311b528ba4817d13c29c4ed458658b608ac45fe177963c19e0fda68582de90edfe

  • memory/4212-139-0x00007FF94D8F0000-0x00007FF94D900000-memory.dmp

    Filesize

    64KB

  • memory/4212-136-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-137-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-138-0x00007FF94D8F0000-0x00007FF94D900000-memory.dmp

    Filesize

    64KB

  • memory/4212-133-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-134-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-135-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-188-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-189-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-190-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB

  • memory/4212-191-0x00007FF94F950000-0x00007FF94F960000-memory.dmp

    Filesize

    64KB