Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 07:11
Behavioral task
behavioral1
Sample
2ce295dcd3764b8618daeade78c6e6c4.xlsb
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2ce295dcd3764b8618daeade78c6e6c4.xlsb
Resource
win10v2004-20231215-en
General
-
Target
2ce295dcd3764b8618daeade78c6e6c4.xlsb
-
Size
344KB
-
MD5
2ce295dcd3764b8618daeade78c6e6c4
-
SHA1
46045b4d9f509a83cedfafaa48a05c19f52249a4
-
SHA256
6de25ca57c86190d89f900b0d6c95bc5484102e46180f39c916e0f6b2ddca9f1
-
SHA512
aeba76bd6561f5976724d8be3f07a909e105a9f306f5053d055d0d9bfb180716aea77abf61550af08a1d1b8b3acee6c22e6fdaa35acdf225ad11d6acb4519871
-
SSDEEP
6144:ogkHHNfWH2LohOGYw6CC5jTT453mjEIbWiGVAKSLFN+YInSCRvuPsxN5j:kHNuWL2OGY/TTy2jEIJc6FNu3uPmNN
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2008 2968 wmic.exe 27 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2808 mshta.exe 30 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2968 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2ce295dcd3764b8618daeade78c6e6c4.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\NwLapcDikupcDN.sct'2⤵
- Process spawned unexpected child process
PID:2008
-
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\NwLapcDikupcDN.sct1⤵
- Process spawned unexpected child process
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD547a1984764f641f98646dbbcea540752
SHA155db505e8937b8a0785182489cc2eae2416031ec
SHA256b8800720ee043b8c52ff1f4d485e7b7a6ba2dd357c5cb90e87fb0790a473bb73
SHA5129be49306a5f3e0a61fb77aef2a96ddb029a50b7adaedab7ad1f3adb4adbc19485bc0f482504ba31c71612e7d65920dc54e700614cd753c9667a08d3d9d204608