Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
CI + PL.xls
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
CI + PL.xls
Resource
win10v2004-20230703-en
General
-
Target
CI + PL.xls
-
Size
1.4MB
-
MD5
22cbe162d221d7ab2ae7e185a38cd432
-
SHA1
6ee5a4da46169acb591f3572dfe8347afd2a937d
-
SHA256
81eb9a9c2bd5612d7e67a5dccae5a52cd02fa933d59eafbb2f318d7f79dce601
-
SHA512
4dacf9de7dbe2cc352039acb18768619707c5b7e2c96f4843156e204a32bec4ec986fedc484a446364decec7773bdfbb3e0d8519e2293237f18454da4ecef074
-
SSDEEP
24576:5+u9VNZylw6VfOZydw6VleHBlEzp7uOR0bgcwyA52hcP5YwVux:5+uPR6VfY96V8hOzWgjy+P5Yj
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4884 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4884 EXCEL.EXE 4884 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE 4884 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CI + PL.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d69c22a341e111feea69df6d8c655d60
SHA1ac862337f2efa43627508927f5052ce694012206
SHA25605b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db
SHA512d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c