Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
708e57865390f24449be8d2c202ffdf9517984bf96a82de7aacf6d5ec6f7adbc.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
708e57865390f24449be8d2c202ffdf9517984bf96a82de7aacf6d5ec6f7adbc.xls
Resource
win10v2004-20230220-en
General
-
Target
708e57865390f24449be8d2c202ffdf9517984bf96a82de7aacf6d5ec6f7adbc.xls
-
Size
1.1MB
-
MD5
0b09e53e2fc33342c42fbc66473df157
-
SHA1
214ed38e49a874f7b4ac5b5e245ce165eb767f0c
-
SHA256
708e57865390f24449be8d2c202ffdf9517984bf96a82de7aacf6d5ec6f7adbc
-
SHA512
ecd2f83aafe9ffc384e1813509a218459f6c5656238f731d5721c9e45758f134b0f6d4ee3053519b54bdc85e486a937aae92fce01ceb7e1774759cfb064828a4
-
SSDEEP
24576:dLKjWQmmav30xY+MXUu9/41+MXUu9L3bV7+MXUu9s3bVn3+RoyPZNQ:dLKCQmmQ30K+MXV9i+MXV9L3bV7+MXVB
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1120 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1120 EXCEL.EXE 1120 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE 1120 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\708e57865390f24449be8d2c202ffdf9517984bf96a82de7aacf6d5ec6f7adbc.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5d5ebeaa745b6e6249596aaeb014647c6
SHA18bbc5637228c6808bfcc89c5903f05aa3d1372c2
SHA25685b24bc9f801b416f54987035220fc32abee6489a13687d98d5fcaf206312bc7
SHA512cf74b04779867e7acbc85814b05ee1f3a306e7b3e0b4c490ee6cba7271d47162c92467121d9bdedb69114117dcb71d2132c932cf27eac46c007ce9315faa7730