Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2023, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
Document for clearance.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Document for clearance.xls
Resource
win10v2004-20230220-en
General
-
Target
Document for clearance.xls
-
Size
1.1MB
-
MD5
d5d7ea5bd2503fa0a3efd0c83196b69a
-
SHA1
5e1f2f6ada8234994fcd652a1e9d6db13ee2e94b
-
SHA256
febe551bb0804e8707e938b42d4d31143525cd024782251bb043cb0691e7d105
-
SHA512
766fb7673c22f9f080b8199e24f691c64b97c4f516a13356faef166d2b63437b9636f5c2f5474fef65c22c1c44b1527f6747e7eebd2f5d9b781f23cf59440f16
-
SSDEEP
24576:mLKIWQmmav30x1+MXU6aTf+MXUw3bV4+MXUJ3bVMMm29V0a3zlD:mLKdQmmQ303+MX6b+MXL3bV4+MXm3bVX
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 840 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 840 EXCEL.EXE 840 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE 840 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document for clearance.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD55c5096a41b5f3123b1e8264324eeabc3
SHA1320b8cee357d1d0ed19f63630b0079130657d987
SHA256fbe8acf84d4f45e5ef05212edd3296d5a06eeae3db3bdb9665299d86e1a6be72
SHA512d0979e804b6ece6f35a10e86cd9f0ee09d273a7bd81311c6bc1f4da35f689514d1fded9e22748a50577d51cd04e3028d5151b53fd2c4b0477acae45dfb3b77d3