Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:51
Behavioral task
behavioral1
Sample
2ab7590fe165c9167d84ef2cdc0e02a2.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2ab7590fe165c9167d84ef2cdc0e02a2.xlsm
Resource
win10v2004-20231215-en
General
-
Target
2ab7590fe165c9167d84ef2cdc0e02a2.xlsm
-
Size
254KB
-
MD5
2ab7590fe165c9167d84ef2cdc0e02a2
-
SHA1
e81bdf750bae5674afa91901d9e1283881b27c72
-
SHA256
21e2bab61ebddbbc47292ed5ef733b56073cd8590959ebeb01c583f7180612b6
-
SHA512
7ce6057d27810da5577e54c702557c4cd0ae1763f88a83f991bb0a0045291159045cf98af55b662a060a46cb37c28c983b37659c0533229702bcfc1c8b4e7178
-
SSDEEP
6144:SotZbAPPimNA/kjoitk3R0hFEWETy4e/+AiOdPXMDnpVfblao:vtZbAPDNAcMR0hFEWETU/mOVcrfN
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4872 3888 MSHTA.exe 86 -
Blocklisted process makes network request 4 IoCs
flow pid Process 71 4872 MSHTA.exe 72 4872 MSHTA.exe 84 4872 MSHTA.exe 86 4872 MSHTA.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3888 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3888 wrote to memory of 4872 3888 EXCEL.EXE 99 PID 3888 wrote to memory of 4872 3888 EXCEL.EXE 99
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2ab7590fe165c9167d84ef2cdc0e02a2.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SYSTEM32\MSHTA.exeMSHTA C:\ProgramData\caIxLZfHVlkoIy.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5eac9031300c7d5487465157d4e1c1c33
SHA17adfba577f1e581e4d1b2de3fafee9b8787f909c
SHA256c6ba4f19adc7d8216a0a3fb5babb767061f23539694100ce69fbebdf8cdb1b02
SHA512ee3db322f9329989223737be9162136e749a6c46de537f38e7617927300cf51b0a3fa967e6f5a81d64f71f2a255a5b176a5010b1b1b83c14f9e3539e6fd62fef