Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2023, 11:35

General

  • Target

    decrypted.xlsx

  • Size

    273KB

  • MD5

    b02688382e3717cb72d564ba99e5fade

  • SHA1

    3a3ea7347b6bf46199be3641c3ded990f05f8dab

  • SHA256

    d471563f99a869932ca9b383e00c609c1dbcf07528b0a5d76535d49623c30696

  • SHA512

    f9f6263d0c6d832271e9fb41622530aa0a49d23d7acf280920ab95517e260476c03b675f0c7f10ee69d33249edf231d58ed56c24145bd9bebceba72650cafd79

  • SSDEEP

    6144:xTnG7OC2gAjuSbCsLyMtqcY874dVTSRqU10EWz2/sSGhtjk+xD:xTnC2CSbp1p74dVQrmAgjjD

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4432
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4220
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1844

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

        Filesize

        471B

        MD5

        f3aed731e8e3ac81138b3d67d027b1f8

        SHA1

        4187ff6ba4a3c1ccda4af1b0c2026974b3fea432

        SHA256

        7574043812c0ea984f4be4ab0018a1bcb6c2e6a04c517287a2e0d64a1096d078

        SHA512

        64a75f37df9141b5b4df99e2fce15a4147ed7fc9f06e65b28287e3588710cdba2712cc75ebab1157a47f71cadafea68e84a90c0879c84ad4fa870200bf374041

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

        Filesize

        442B

        MD5

        8c72fa4586915b07b77cf2ea6b00c777

        SHA1

        056eca85bd8b9fd6e916fa050f6c37e0411cea2b

        SHA256

        2647bddc9d1851005d211112d7cedf5ef8628306752f5bd25411ccc2fa5b7ede

        SHA512

        ae20456ceaa94735aa9971c47fd24495edecb0c38620ca2788cdc2482e7c761590af43a2bdef6c387063addd2291787eaa95ed454044e86dbc948ccbb06669fa

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\qiiiiiiqiiii##################################qiqiqiqi[1].doc

        Filesize

        28KB

        MD5

        1dcdb9e238b956e5768b2367fc310a70

        SHA1

        6e96e094f6098f3224b1aa0707b94b4863240072

        SHA256

        9f017be23619d836a704478a2b1a31cfb60e4b6fc40e8e94ffde205bc195e963

        SHA512

        ceb0c59fa2423a5b959315657ce3fc476d3581e997409694269a838c61b0586227e5e8cc06b10a388a51e29dda156bea86e157c731bc0e0aaccb0f6dd0a3715f

      • memory/4432-133-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

        Filesize

        64KB

      • memory/4432-135-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

        Filesize

        64KB

      • memory/4432-134-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

        Filesize

        64KB

      • memory/4432-136-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

        Filesize

        64KB

      • memory/4432-137-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

        Filesize

        64KB

      • memory/4432-138-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

        Filesize

        64KB

      • memory/4432-139-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

        Filesize

        64KB