Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 01:35
Static task
static1
Behavioral task
behavioral1
Sample
91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls
Resource
win10v2004-20231222-en
General
-
Target
91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls
-
Size
649KB
-
MD5
1ab4496b7169a2da02da21e37b955c46
-
SHA1
1c1431f691118948783af2036c81a21302f17f11
-
SHA256
91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641
-
SHA512
a00d67be27684bc40d5d4be7ebfd2e69339c59f097467d2c5197e40198891100ad4376c8fd0399c67c8761879228d6e4a2bf684b9de0b320f6a91e909552e843
-
SSDEEP
12288:OSVpBC6uEkDogpozwjToLn9Iz79q1uaXgX/r196YlajfsQa5hX:7w6siWGg7I1uaXgXj196uaTOv
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1704 EXCEL.EXE 2552 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 2552 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 1704 EXCEL.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2628 2552 WINWORD.EXE 92 PID 2552 wrote to memory of 2628 2552 WINWORD.EXE 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1704
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2628
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\447C795F-ED5E-4BAC-8EE9-9299CEB8808C
Filesize159KB
MD5aeb290052aaf71a9df853a771f6e75aa
SHA1b04c5a2e83bcde5cdbb9844a442012f81f713494
SHA25642f2280ff7bb1c055fb6c061d090397baae8edaba02b304625d26a9ca8412b55
SHA512e8ad63ff90d43669dc5f4a751913e7f1e2738e77fc3276dd9ec9f9362c25889d2d45e45b44c190b0da2968aec237a85259ad002345fa5c8adfb9e268990c2bba
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5c25eb05dc42960a4e36a909765ecb5ea
SHA132c161742d9dc6c78b887f12c6e060b27d346100
SHA25666498ad67b498c6beea7f028b4b5991b158d48e06328e0dc46e6a033253e905b
SHA512c22f5b04116c36a34253a121fd4e3618e1e4d7c71ab5ba20208807e4e5095a7803394763ce7bc33dc71e2ca5edf4fc89a803469c3a523ce7877a273c59e5b12d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5818710f7c5df048650d3db7cd3ce1aba
SHA1ab8423cc5561d53a98467bb63d8df3d10e05a9cf
SHA256014eaf1d08ce6aeee1c49346dc03445940b834f9f5b7bd3b06a278d203fbcf06
SHA51286aaa75e7c5f679d78b2675eeaf2ad98d84f87000e44f7ae5bda982ffcd8297e10422eefeddb26bf5ce68ab9b87d007ba43b9e2f78b4409b90bed202f8b1bc71
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\microsoftunderstandhowimportantfortheupdationofnewserviceentirefuturewaitingfordesignthenew[1].doc
Filesize54KB
MD51576f9c9b9bd52cc54a24122585d04e5
SHA1df18e510cb424c1a14235be98eb44f6cf797a0a7
SHA2569a683ca63641a2e7a96bd11bf621a9968add7bb4d11ab4ec20f53ceb0904cef2
SHA512fe25fc1b1213c3e28b9682d3e3eab63d1fdc24a56ce62e3ea982fd8bdcc4b120046e07bcb56f237b98bc0dfaecafe6e9ef143cdf733f159a961cc1c28f88f8c1