Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 06:35
Behavioral task
behavioral1
Sample
cc31c5d769e28c33b79dfb1c2b6cbea6.xls
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
cc31c5d769e28c33b79dfb1c2b6cbea6.xls
-
Size
317KB
-
MD5
cc31c5d769e28c33b79dfb1c2b6cbea6
-
SHA1
c796c4c1878053f2e5ec3b70bdd84b304d1c4c30
-
SHA256
48c8327b8fa0bd5e233a28148952aacad1180803bd004d344321eadc6c710479
-
SHA512
dfd4d3ac4510b67bef8fcc4730c7d625b3860139859e82a5bf417a12ea2b438f88e7b46cc470378eda0fb75d37892e944ae925bfc9a3d030f4cd93003576f45e
-
SSDEEP
6144:wz+dIDeVH2K6CLNBYxDjYl76c2bOAGriOQR6pxHkOn:sDVVzGrKR6
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1568 2480 cmd.exe 16 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1660 2480 cmd.exe 16 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 276 2480 cmd.exe 16 -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2480 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2480 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2480 EXCEL.EXE 2480 EXCEL.EXE 2480 EXCEL.EXE 2480 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2480 wrote to memory of 276 2480 EXCEL.EXE 37 PID 2480 wrote to memory of 276 2480 EXCEL.EXE 37 PID 2480 wrote to memory of 276 2480 EXCEL.EXE 37 PID 2480 wrote to memory of 276 2480 EXCEL.EXE 37 PID 2480 wrote to memory of 1660 2480 EXCEL.EXE 36 PID 2480 wrote to memory of 1660 2480 EXCEL.EXE 36 PID 2480 wrote to memory of 1660 2480 EXCEL.EXE 36 PID 2480 wrote to memory of 1660 2480 EXCEL.EXE 36 PID 2480 wrote to memory of 1568 2480 EXCEL.EXE 34 PID 2480 wrote to memory of 1568 2480 EXCEL.EXE 34 PID 2480 wrote to memory of 1568 2480 EXCEL.EXE 34 PID 2480 wrote to memory of 1568 2480 EXCEL.EXE 34 PID 276 wrote to memory of 1868 276 cmd.exe 30 PID 276 wrote to memory of 1868 276 cmd.exe 30 PID 276 wrote to memory of 1868 276 cmd.exe 30 PID 276 wrote to memory of 1868 276 cmd.exe 30 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1868 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cc31c5d769e28c33b79dfb1c2b6cbea6.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:1568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:1660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:276
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"1⤵
- Views/modifies file attributes
PID:1868