Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 03:55
Behavioral task
behavioral1
Sample
271b9aa2476aca33609c50c52ae89af2.xlsm
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
271b9aa2476aca33609c50c52ae89af2.xlsm
Resource
win10v2004-20231215-en
General
-
Target
271b9aa2476aca33609c50c52ae89af2.xlsm
-
Size
320KB
-
MD5
271b9aa2476aca33609c50c52ae89af2
-
SHA1
c16c72b53a97fd5685e27ecb0a7adb5f64f8c9a2
-
SHA256
0b421b87c36302cbad0135de0e6e6f4ff8968e3d2d4ea9d5bda1462d8ef14e49
-
SHA512
6a284f9969a080a45acfefb7923e8d7d71d96550d9001bcd1def8ad0a39353b68e5f7d90081939cd7cabb91ed3ab880aa023d223970e0b164311a0e87b07817b
-
SSDEEP
6144:STtZbAPPimNA/kjoitkGchiByRwhMOSTTcoKf6nhYYMfxg3wmhE0qf:otZbAPDNAcM2coByRwMOSTwNf6nhYYMV
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1020 2428 MSHTA.exe 19 -
Blocklisted process makes network request 6 IoCs
flow pid Process 55 1020 MSHTA.exe 56 1020 MSHTA.exe 59 1020 MSHTA.exe 61 1020 MSHTA.exe 63 1020 MSHTA.exe 67 1020 MSHTA.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2428 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2428 EXCEL.EXE 2428 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1020 2428 EXCEL.EXE 94 PID 2428 wrote to memory of 1020 2428 EXCEL.EXE 94
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\271b9aa2476aca33609c50c52ae89af2.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SYSTEM32\MSHTA.exeMSHTA C:\ProgramData\bFWERerWbW.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:1020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5f3d9981eafeaed7b4240d7922de3bce9
SHA1f63f8fb2ea189a2f23a77300eb4b86f4d75dc745
SHA256ea9fe0f7858931e74974e3712923942f9ba9be883ec32e06b8b62d009e3b026e
SHA512ad065d44ec4b3536fa27bd144ae1410295170cba2190bac6816fcf046d136ca4bcdabe9b33aff4830cd53aa3cea6ab7d3ff7569a2dfd613662c5e2a66ac7b69a