Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
1984e9d8c376c43e35244c29706c899cb078c40f1ff1fe8c84f88c662b94e5ab.xlsm
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1984e9d8c376c43e35244c29706c899cb078c40f1ff1fe8c84f88c662b94e5ab.xlsm
Resource
win10v2004-20230915-en
General
-
Target
1984e9d8c376c43e35244c29706c899cb078c40f1ff1fe8c84f88c662b94e5ab.xlsm
-
Size
21KB
-
MD5
d25705c70bd28dd682dcd86cf6bb490d
-
SHA1
e2998d898d3f26d268e3ef7979cd7ef90779df51
-
SHA256
1984e9d8c376c43e35244c29706c899cb078c40f1ff1fe8c84f88c662b94e5ab
-
SHA512
58db01d0305a80e1128fcc7962a2ba92f244a92555e3e9a014fa733091c4713ca34bcc3d050fab9e8af1b7efc9d8ee28761e1618f0cbab1d6366e87834639b7b
-
SSDEEP
384:4MbO0hGjCvsZXiIxj0iSuMKIKIVUMa3WZHmwkQn5VEtHZmTVpXgPeqg4+avx:HOjjusZyajDSJKNAkQ4t0ZpXMg4dJ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4248 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4248 EXCEL.EXE 4248 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE 4248 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1984e9d8c376c43e35244c29706c899cb078c40f1ff1fe8c84f88c662b94e5ab.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5f9888c68198896d1dd075dab2b0735db
SHA1116cae5587694b87f3e902e37841f5a89572aa8c
SHA25693ad560dd2abf1e5a308cc70f6ce4bd0cf7d01d832242d154dcf1b1e136e7164
SHA512714440529d72467d5b295ac233c86c482a5d9036488d0260c565e078959f4fe432929e87a9a74bf3f4f54b00586fb41c6b0b360f71fb593850ff0edc81985892
-
Filesize
252B
MD559e9176f4b69cee4c874049b813cbd64
SHA152c8a525e86584a4e0e94fad5f64727d424a2543
SHA256d8474e739ee2dc4b9331850a2255ad43cd21d095698651728e38ea6cde2544df
SHA51211d13cfe69c4a80aea31665c20d4aec55fcad9fd66626456cb25f9c0bb06878a9f5701f905da4c92cfc2c11c93fcc5b81534843f4a8d86dfcbf6eb5506dfc4e3