Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 03:25
Behavioral task
behavioral1
Sample
501af3b2dae97eb94cdd731516882e71.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
501af3b2dae97eb94cdd731516882e71.xls
Resource
win10v2004-20231215-en
General
-
Target
501af3b2dae97eb94cdd731516882e71.xls
-
Size
35KB
-
MD5
501af3b2dae97eb94cdd731516882e71
-
SHA1
ca10c611e72c9539c56ac3754d29deef269375c8
-
SHA256
462b9c3c22cc64c3b38d090695b566ada4635ceee426548415b101a0bc74b7c7
-
SHA512
4314d5720f48fc0493818240a700a08b47349c87e2d683e824110f00a531b04c432692515a457a70e40703b7a3487b0af6cbd6169ed9f1f6fd7b31f017b887d9
-
SSDEEP
768:HPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJK2N9OBp47VCBaWjj5izC:vok3hbdlylKsgqopeJBWhZFGkE+cL2N1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3948 3608 explorer.exe 29 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3608 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3608 EXCEL.EXE 3608 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3948 3608 EXCEL.EXE 98 PID 3608 wrote to memory of 3948 3608 EXCEL.EXE 98 PID 3324 wrote to memory of 8 3324 explorer.exe 100 PID 3324 wrote to memory of 8 3324 explorer.exe 100
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\501af3b2dae97eb94cdd731516882e71.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\c8uTi.vbs2⤵
- Process spawned unexpected child process
PID:3948
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\c8uTi.vbs"2⤵PID:8
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550B
MD57bfa2f54ea0fd248de25286bf0162893
SHA16ed65b4670c52687c722663fb5329341ffd3f13a
SHA2568b5b08050ed804f472b8d6cf63b414131612c1b3058a9e8665dceaf410503c5d
SHA51291d703680ce560f0282507561ab8421358e76205ff11d61bdf899699dabaa35f2f97dd9f665f53fcc96a4340a66669a08df4e228e89209be898e5a9a615cc753