Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 07:28
Behavioral task
behavioral1
Sample
cfd153a595713e86a8b9cdd8d09febf2.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cfd153a595713e86a8b9cdd8d09febf2.xls
Resource
win10v2004-20231215-en
General
-
Target
cfd153a595713e86a8b9cdd8d09febf2.xls
-
Size
269KB
-
MD5
cfd153a595713e86a8b9cdd8d09febf2
-
SHA1
424c5e2da8e694b8272bc90f832063d428626446
-
SHA256
24c2efae134fae798994df78b62435b1ef1d7f958d272dd487d3f46838b757a2
-
SHA512
e459cd67cdc8b58b25393e04e6ddaa51ca5e5be03fceecdb6e78dc802b82a90580bede121e6ea9bc0109267723a7d66bd4e0a152505622164dd6b9e036335ba4
-
SSDEEP
6144:/q25Xo850IFPAlSNUY7INwSqb53ClmAZxzuCgk4B/09e31dN:o85PFPATjqSICoWVUb3bN
Malware Config
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 640 4880 cmd.exe 18 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4732 4880 cmd.exe 18 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2012 4880 cmd.exe 18 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2000 4880 cmd.exe 18 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3020 4880 cmd.exe 18 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 640 4880 cmd.exe 18 -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 228 attrib.exe 1452 attrib.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 1452 attrib.exe 3768 attrib.exe 1452 attrib.exe 228 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cfd153a595713e86a8b9cdd8d09febf2.xls"1⤵PID:4880
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\setflag.exe2⤵
- Process spawned unexpected child process
PID:640 -
C:\Windows\system32\attrib.exeattrib -s -h c:\setflag.exe3⤵
- Views/modifies file attributes
PID:1452
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c extract /E /Y /L c:\ c:\cab.cab2⤵
- Process spawned unexpected child process
PID:4732
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c extrac32 /E /Y /L c:\ c:\cab.cab2⤵
- Process spawned unexpected child process
PID:2012
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\sendto.exe2⤵
- Process spawned unexpected child process
PID:2000
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\setflag.exe2⤵
- Process spawned unexpected child process
PID:3020 -
C:\Windows\system32\attrib.exeattrib +s +h c:\setflag.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1452
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\sendto.exe2⤵
- Process spawned unexpected child process
PID:640 -
C:\Windows\system32\attrib.exeattrib +s +h c:\sendto.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:228
-
-
-
C:\Windows\system32\extrac32.exeextrac32 /E /Y /L c:\ c:\cab.cab1⤵PID:4620
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵PID:3620
-
C:\Windows\system32\attrib.exeattrib -s -h c:\sendto.exe1⤵
- Views/modifies file attributes
PID:3768