Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:06
Behavioral task
behavioral1
Sample
27769a494737638fc8b75033bb03252e.xlsb
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
27769a494737638fc8b75033bb03252e.xlsb
Resource
win10v2004-20231215-en
General
-
Target
27769a494737638fc8b75033bb03252e.xlsb
-
Size
370KB
-
MD5
27769a494737638fc8b75033bb03252e
-
SHA1
4a8bd03a9e3d334cc4674f0f391bfea273343f02
-
SHA256
558aacbcc50755ff47a4339dce681bd7158dc1c5c862fc390ded0e153edb95ae
-
SHA512
219b1b9002a5dceeb0e31aaddae5cd6184f8ed9610db781274ad45757d580dbb3303df1a93d0c3a565a6175caf7b418f33e3e59e859ba7644cebb9d36996bde1
-
SSDEEP
6144:oXPQ+z9ssjp/d6Ef2LohOGYw6CC5jTT453mjEIbWiGVAKSLFN+YInSCRvuPsxNR:kPQ+z9ZlmL2OGY/TTy2jEIJc6FNu3uPs
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4568 4360 wmic.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 4476 mshta.exe 90 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4360 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4568 wmic.exe Token: SeSecurityPrivilege 4568 wmic.exe Token: SeTakeOwnershipPrivilege 4568 wmic.exe Token: SeLoadDriverPrivilege 4568 wmic.exe Token: SeSystemProfilePrivilege 4568 wmic.exe Token: SeSystemtimePrivilege 4568 wmic.exe Token: SeProfSingleProcessPrivilege 4568 wmic.exe Token: SeIncBasePriorityPrivilege 4568 wmic.exe Token: SeCreatePagefilePrivilege 4568 wmic.exe Token: SeBackupPrivilege 4568 wmic.exe Token: SeRestorePrivilege 4568 wmic.exe Token: SeShutdownPrivilege 4568 wmic.exe Token: SeDebugPrivilege 4568 wmic.exe Token: SeSystemEnvironmentPrivilege 4568 wmic.exe Token: SeRemoteShutdownPrivilege 4568 wmic.exe Token: SeUndockPrivilege 4568 wmic.exe Token: SeManageVolumePrivilege 4568 wmic.exe Token: 33 4568 wmic.exe Token: 34 4568 wmic.exe Token: 35 4568 wmic.exe Token: 36 4568 wmic.exe Token: SeIncreaseQuotaPrivilege 4568 wmic.exe Token: SeSecurityPrivilege 4568 wmic.exe Token: SeTakeOwnershipPrivilege 4568 wmic.exe Token: SeLoadDriverPrivilege 4568 wmic.exe Token: SeSystemProfilePrivilege 4568 wmic.exe Token: SeSystemtimePrivilege 4568 wmic.exe Token: SeProfSingleProcessPrivilege 4568 wmic.exe Token: SeIncBasePriorityPrivilege 4568 wmic.exe Token: SeCreatePagefilePrivilege 4568 wmic.exe Token: SeBackupPrivilege 4568 wmic.exe Token: SeRestorePrivilege 4568 wmic.exe Token: SeShutdownPrivilege 4568 wmic.exe Token: SeDebugPrivilege 4568 wmic.exe Token: SeSystemEnvironmentPrivilege 4568 wmic.exe Token: SeRemoteShutdownPrivilege 4568 wmic.exe Token: SeUndockPrivilege 4568 wmic.exe Token: SeManageVolumePrivilege 4568 wmic.exe Token: 33 4568 wmic.exe Token: 34 4568 wmic.exe Token: 35 4568 wmic.exe Token: 36 4568 wmic.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4360 EXCEL.EXE 4360 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE 4360 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4360 wrote to memory of 4568 4360 EXCEL.EXE 96 PID 4360 wrote to memory of 4568 4360 EXCEL.EXE 96
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\27769a494737638fc8b75033bb03252e.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\PwSqGAjCETBW.sct'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\PwSqGAjCETBW.sct1⤵
- Process spawned unexpected child process
PID:236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD588eb928327ec6e7e4ad4e8516118e1b4
SHA1ba10a34305ad802c00e2302848bfb3184f0db0a8
SHA256e8da6248cd02e3cfbe9cab1f450c61887bd0752b9d81f46a9480b90fefd73597
SHA5126afcb97b5ad5680c3d4c8c5dcd978784420c0684e5ca1e271755c6f06ed2f6d92b4d8b0ff14aae43030f858fc138d8f09c4a50626e87b8bca1da6f1ba4ebe698