Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
203s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 03:06
Behavioral task
behavioral1
Sample
4ee4f9d3e300160baa41695bd597a238.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4ee4f9d3e300160baa41695bd597a238.xls
Resource
win10v2004-20231215-en
General
-
Target
4ee4f9d3e300160baa41695bd597a238.xls
-
Size
177KB
-
MD5
4ee4f9d3e300160baa41695bd597a238
-
SHA1
4e81eef7bc19d10207b030c65cd7063c5666103e
-
SHA256
58c0ea4a770bf33a1d3f359370e9fb7e4542d612f920bd6fd97570f16b7ab30d
-
SHA512
5704cbcd80c2dc35850659bd0e061243ffab0cf3a0d1e8b33e6e1aea26b421d2ac952052d8ff9f1487a92aeb8d7eb35f98cec1f502c6c62af02a7e069c6d2f91
-
SSDEEP
3072:b1mXOps/m+vksm2hvUPqFPI4ukoRWGNwzncGAuBrNhBJDBuAWVbrzF7ITkDXbEbR:hmXOps/m+vksm2hvUPqFPI4ukoRWGNwp
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 940 1164 cmd.exe 73 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3616 1164 cmd.exe 73 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2440 1164 cmd.exe 73 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1164 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1164 EXCEL.EXE 1164 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE 1164 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1164 wrote to memory of 940 1164 EXCEL.EXE 94 PID 1164 wrote to memory of 940 1164 EXCEL.EXE 94 PID 1164 wrote to memory of 2440 1164 EXCEL.EXE 99 PID 1164 wrote to memory of 2440 1164 EXCEL.EXE 99 PID 1164 wrote to memory of 3616 1164 EXCEL.EXE 95 PID 1164 wrote to memory of 3616 1164 EXCEL.EXE 95 PID 940 wrote to memory of 3276 940 cmd.exe 100 PID 940 wrote to memory of 3276 940 cmd.exe 100 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3276 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4ee4f9d3e300160baa41695bd597a238.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:2440
-