Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2023, 06:10

General

  • Target

    Document for clearance.xls

  • Size

    1.1MB

  • MD5

    d5d7ea5bd2503fa0a3efd0c83196b69a

  • SHA1

    5e1f2f6ada8234994fcd652a1e9d6db13ee2e94b

  • SHA256

    febe551bb0804e8707e938b42d4d31143525cd024782251bb043cb0691e7d105

  • SHA512

    766fb7673c22f9f080b8199e24f691c64b97c4f516a13356faef166d2b63437b9636f5c2f5474fef65c22c1c44b1527f6747e7eebd2f5d9b781f23cf59440f16

  • SSDEEP

    24576:mLKIWQmmav30x1+MXU6aTf+MXUw3bV4+MXUJ3bVMMm29V0a3zlD:mLKdQmmQ303+MX6b+MXL3bV4+MXm3bVX

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document for clearance.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D842DBDF.emf

    Filesize

    95KB

    MD5

    5c5096a41b5f3123b1e8264324eeabc3

    SHA1

    320b8cee357d1d0ed19f63630b0079130657d987

    SHA256

    fbe8acf84d4f45e5ef05212edd3296d5a06eeae3db3bdb9665299d86e1a6be72

    SHA512

    d0979e804b6ece6f35a10e86cd9f0ee09d273a7bd81311c6bc1f4da35f689514d1fded9e22748a50577d51cd04e3028d5151b53fd2c4b0477acae45dfb3b77d3

  • memory/840-133-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-134-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-135-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-136-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-137-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-138-0x00007FFA6C270000-0x00007FFA6C280000-memory.dmp

    Filesize

    64KB

  • memory/840-139-0x00007FFA6C270000-0x00007FFA6C280000-memory.dmp

    Filesize

    64KB

  • memory/840-184-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-185-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-186-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB

  • memory/840-187-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

    Filesize

    64KB