Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2023, 11:21
Static task
static1
Behavioral task
behavioral1
Sample
7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls
Resource
win10v2004-20230221-en
General
-
Target
7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls
-
Size
1.2MB
-
MD5
51699d255aeee8da123a9dd4b3650338
-
SHA1
f80d11c1aeed14ac99e61a7deaa8d80cdac1ee81
-
SHA256
7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d
-
SHA512
b72b7724e1f09d7a6f62932506c4f6e7f4373e1838f780521b9e6cab610ea44f921b7a0454a445288e77d29d06fba050ed2a8a3e01bc52f31eaa36ba86cd929d
-
SSDEEP
24576:ELKaBztHlx4WQmmav30xvBBatHlxAWQmmav30x26FMdG0EoL9J5tN:ELKaj7NQmmQ30RPg7VQmmQ30M610Nv
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4212 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE 4212 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7196c782947e85f60273951e75c7d3c637ee8b6b69540b292073ba548ee8674d.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD563a79c946db053ba5ebd7a22a4d41ca1
SHA18f33ef886f216c6ce02b681a85e18eea17eff5b3
SHA25610f7a89bdb70db4cf87e11165c650125d76de074a57863a0d80d23418aa918a7
SHA5124d77b34d8b2ad0148469a205b340b148d296c5fbb6a8656915fce2a41e1ac88295e6ebe54a870722fe4878d894252e3605c9acf6e27917e6b8eea9158daa0184
-
Filesize
34KB
MD53cdce970854925d23c15d611898b7ae6
SHA1ef68a421937ead8a658f93f7ce125373f22da9d4
SHA25694bf70898eec2366e256fc763a8c8981c71f7e1cef9c18307d74ee86b2df6940
SHA512438f3383b81c779e455b3b720096fe84156370d66a4425d3cbcc7818c2354c311b528ba4817d13c29c4ed458658b608ac45fe177963c19e0fda68582de90edfe