Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Order 2550619.xls

windows7-x64

10

Order 2550619.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2023, 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order 2550619.xls

  • Size

    1.7MB

  • MD5

    ab0e612c9439b82195398504a698adee

  • SHA1

    70c4113ed426af85cc7c5e37b35f8f061c15c5f0

  • SHA256

    9134e36de0aacecf0cab994a307c42bd76a067d032545e74328d1c29c6389ebd

  • SHA512

    90741688665e6fa8c9a91b63ebaa956ad366cb268436034c19e7e133d8d564c1e95c6cacdc76ef5196adcb665ebe4a0bfa6383c3f996a9ec6b56c1472be02c3e

  • SSDEEP

    49152:hLKe3Z7sQmmQ30d727UQmmQ30R6Nn1h9DB6GOLD5:lhspmQkl6UpmQkR6rhPON

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order 2550619.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2621A00C.emf
    Filesize

    577KB

    MD5

    76832c33f8bdf8376a336952cb27a79d

    SHA1

    9983aba5d494b02fafdb584e5f6b3a410aee4e55

    SHA256

    4d7e728bdf4f25dcdb803a888a678beef9c240a1d991e93129473624c57b0774

    SHA512

    c508c335514abf4fe51915e19978512848b076c1910ca496b55ae6f103f53aed65b87d685d0ca4d65f48a413f4332ae335b13edea4fb815e74a548c7a375d854

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F6A5E89D.emf
    Filesize

    34KB

    MD5

    f53cee6b317076f44af7fbdc9f3c644d

    SHA1

    12209508543ffcf41e0ff2d3abc7a1fcf660cd7a

    SHA256

    af99c490e853fcb42826343dc5fcc33e9027e472c2f99f6f1834bf876d802ec6

    SHA512

    79bceaad14da4e777adbc38bb6b4c7023e17b2ec66ae01695af43fef0f944bce2eb28e97f6f7921efb930328e9e66eee078b0d75012a209c38de1a115d7862ce

    Download Submit

  • memory/2452-139-0x00007FFA05540000-0x00007FFA05550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-136-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-137-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-138-0x00007FFA05540000-0x00007FFA05550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-133-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-135-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-134-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-194-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-195-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-196-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2452-197-0x00007FFA07810000-0x00007FFA07820000-memory.dmp

    Filesize

    64KB

    Download