Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
Cerere de cotatie.xla.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Cerere de cotatie.xla.xls
Resource
win10v2004-20240226-en
General
-
Target
Cerere de cotatie.xla.xls
-
Size
38KB
-
MD5
558fadb14037e01b78e223e799b568d3
-
SHA1
43758e1db2bc0fb7fded6ec864ec20973b26251a
-
SHA256
64020a7a3f5f6c589272f28d727318eb5eb4eb4d41510679cb8134c0325c8fe2
-
SHA512
ddf577683063e86cdcd27d850a4a1b25caa97adc7b31241d164abe5007de7ab74f832551db5a61bd105887a70ee8f7384ee602ffe40c21b8b5fa3ead25f4e254
-
SSDEEP
768:2yBP0SIN+KncBtECea+bTK6p4Gjtw/tO9vkpjInEzkrFW57vsk60:2689hnIt7eR64twX0nEzksBD60
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1748 EXCEL.EXE 3536 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3536 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 1748 EXCEL.EXE 3536 WINWORD.EXE 3536 WINWORD.EXE 3536 WINWORD.EXE 3536 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3536 wrote to memory of 1384 3536 WINWORD.EXE 96 PID 3536 wrote to memory of 1384 3536 WINWORD.EXE 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cerere de cotatie.xla.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1748
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1384
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5ba25b25faf256829d339af7900e404d5
SHA11389956a8d13cc3d49f5b0309a25a7132a8a3c9d
SHA25671cd327b45891d3b650fa8248b5f722cec8fe4cccb4a876f91374feeebe38422
SHA512693248c89489f0f4e59ae321431eada5d291835f6caa4f8229809800087dc8ea92d1f5d3e3c336d71c2763f836aad577575aed13a8c91e99f22d4d6fdd52f2ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5540bb5e0360022651792b56cdcf78ceb
SHA1d8c32545d431c1868a381752155cd2cd41825696
SHA256409241a32e47bb2877896095da39ec2317bb61418ab63ba7245ba743ba3132a9
SHA512af43efb8e222ae16a5b11db8985add9742e5bbe47d275a18ea7bbe2b2ed6d655066c7a1e7e16d30d567e4b16e91419e600234c580f0f6573cb326fba6a43fd74
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B043A0E9-DB7B-49F4-9582-5DE753CE8266
Filesize160KB
MD5d0a13d018326cd6ba4161c69a5068704
SHA14226d2a1f3449eaaa551ccd88ac4661503dffa87
SHA2563ba700c51e902bcdfbf60f2dfd423f11c703bbd718c0783d8667be9090e38045
SHA51232b080bea9047a959d06c250786dd1aed5024b972c091f6f16c14fd3e40413fe6c0eb360be36e831b2265d67e103fa8b504dd4cec0cbb8279759eddf149110a8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD56ebbc05c6242e37a608bcfe8ab2e1087
SHA1826857e6fe6ba63aabfac8fb7efd6d9b815309e4
SHA2564f91fd4da897945aee66b4c102c75327d5e45500fb4af8ec7de3dfb6f0900657
SHA5125de48185fa4214b3cc4241228da21208f20cd12cfd024279cf1afc1333ffdeac65d5718ffef7733d3675f8d13a64d64004b7518dc06b564ef9d81150c7e930e3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD59114d83a628619df4aa3aa5a301beda1
SHA15e5b3f63ec6c76a6d05f760d553d8772761e35a6
SHA256528cfaad9b0e1711cc21979d1443c22c97f4a2de7ba64a55910621162e5be284
SHA512f6941b1459b253cf60c7debac4dbfe088bfc16e6c164e475a85f8de808c11326f761b02f5a4ecd6e151dad51de8e3fe1885aad6501a3598cc80b277d6e7945ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20RAD7Y0\weareinlovewithmygirlfriendunderstandhowitistoget___youareverybeautifilformeiloveusoomuchalwaysloveutrulyfromtheheartlove[1].doc
Filesize78KB
MD5561ed5405267a715e9dcfea42b63f37e
SHA1676b6196a706316bf3e311c58fd0ef991efc41a9
SHA2562c58ca41949aa784dce6a2006162781fe7a7a5453cafb731ee4d512efe718c43
SHA512c746e89a41fc61077eef5ae0d7216d6d875c5cc94a53de20cfe61421aad781a2b71e668a94d8acbedab4542c488aed83753d472627033310681e7a03d9f3f986