Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
191s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 03:20
Behavioral task
behavioral1
Sample
4fc3b53b6847285354a3772a4860b2f0.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4fc3b53b6847285354a3772a4860b2f0.xls
Resource
win10v2004-20231215-en
General
-
Target
4fc3b53b6847285354a3772a4860b2f0.xls
-
Size
36KB
-
MD5
4fc3b53b6847285354a3772a4860b2f0
-
SHA1
cee6f3cb9f7f1f4a3ef5fbe458e12dea4377c75e
-
SHA256
be63fc8831f99a0412997cfbea77f321188f7ad554b65f2af7d194c0bb129f25
-
SHA512
6c4be8e7dc16f1243e0746d7c65e631dd2665bc1156c0946a4a5b8ec8d31e37bbf9611fc9e23ac5d77412f156e76660028547fe90247ea73f1324aa846cb7dd4
-
SSDEEP
768:NPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJirIHlo6Y7Z2yFP:lok3hbdlylKsgqopeJBWhZFGkE+cL2N/
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1328 4868 explorer.exe 70 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4868 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4868 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1328 4868 EXCEL.EXE 94 PID 4868 wrote to memory of 1328 4868 EXCEL.EXE 94 PID 4168 wrote to memory of 632 4168 explorer.exe 96 PID 4168 wrote to memory of 632 4168 explorer.exe 96
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4fc3b53b6847285354a3772a4860b2f0.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\JNejL.vbs2⤵
- Process spawned unexpected child process
PID:1328
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\JNejL.vbs"2⤵PID:632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581B
MD5326ad3e196e3f96d74a192ad60cf59d7
SHA1fd7ae06dce705e79936aaa1cb9f2c0036664d3de
SHA256790bc61f65360ad00230b854b5cf70b6a89747ae83ae9745de74a20e6105f7a0
SHA51249d9ae7015a191c359adb84e038603aa50936472460199de0ac8b89a5871112035dc7aabd7917de2c2e94da0db8ea9d3f8f104519cef8caeb073f78a61d5766b