Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win10v2004-20231215-en
General
-
Target
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
-
Size
302KB
-
MD5
250841072f7bb27d6a75cd026249bb87
-
SHA1
190342d9c712d9af9a3dce9eb3f2ff32bf100e23
-
SHA256
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
-
SHA512
27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
-
SSDEEP
6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2680 EXCEL.EXE 3224 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3224 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2680 EXCEL.EXE 2680 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 2680 EXCEL.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3224 wrote to memory of 4444 3224 WINWORD.EXE 93 PID 3224 wrote to memory of 4444 3224 WINWORD.EXE 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2680
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4444
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C725172-6467-4E95-ACF7-7E3C242ECBB7
Filesize158KB
MD51bb1d0124e74eb7bab7b41f6e08b63b9
SHA156bdf600fa61fa42ccfaf6e4e82365cb87b542bc
SHA25659cfcc69d1a0722dceee1f72ea505bd37c779c95cde627fe2fd9d5df5799a3f3
SHA51273ec4815d1ac32fb4e7a6fc587dc2b403e4e3763b831a3c28baf7256c347b799e31ce71cc6c0e71f4fecb2dd7fee6ef9aa2682494e70adafe27c9f448bd6d1be
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a6204c15daf2f6c77f638aa89796c6a8
SHA175da253069e822e439e171313e64fe0562af3a3f
SHA256a0a3db8d68f007122c61dc6a5e8a9fde7dd150162424f5f6ffeb60e7e4c80cf0
SHA51239e23f5894e5acd1dbb13ff2cc5b5a7322c1b7772bfaa747d80f229e12c2135910c80de6ece17cb67ae225c0f0894043ed6c2bbc84b38fd553b5d936ad2b29c4
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5cf2127e120ba81bca0a3fa8b0f93a0af
SHA1c27df69f44b949ae45b13cc83a8b4bca12d4043f
SHA25693ed2134af9170efe00e624eb599e374fdb0e6c6eebea83f1192d6ef1cac04ed
SHA5129e58c5b107a7341e70ca1b756773e18a0e1ab2150a4c0124cf501b8fb58607bcf4776ac6a68d50cecfb5ac7d6ff6e11c5a6290c399ee2e84c530832e4593fc9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\microbiolagicalthingshappeneingaroundtheworldforentireprocesstostartfromthefirsttonowforev[1].doc
Filesize61KB
MD5adf6b4115caf260b8f57c1fd9bb618ec
SHA15ed800417118abeb366163bcda0608b0d0109a66
SHA2566ebe7e25c68f5e44b3e542b47ca7d0faab3fa7c7f1b71e17f5fdaeb7f4a7b003
SHA512706d851d922f53e83783f7f5ed65b24e8322c64db3f6e03f19e5aa6bce3ea504a5f221cfa8d6700e374b5cc5c94415c9f0bd3386dd872974738c9788400f43dc