Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
db31dc2379e6ab0f23282ebc765d898b157132d44e6983b295d196d3d5482683.xlsm
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
db31dc2379e6ab0f23282ebc765d898b157132d44e6983b295d196d3d5482683.xlsm
Resource
win10v2004-20240226-en
General
-
Target
db31dc2379e6ab0f23282ebc765d898b157132d44e6983b295d196d3d5482683.xlsm
-
Size
721KB
-
MD5
f2ea33d0dac94982939466937c360d04
-
SHA1
d6980ebf5c992ef121e8f97fe8c54535c2a7f724
-
SHA256
db31dc2379e6ab0f23282ebc765d898b157132d44e6983b295d196d3d5482683
-
SHA512
8269ca1d6a9ec10c3966e4ef695ce6ef6dd26bca94ac483ca7eb2697a2f6bc42f5839d1edfe0eb92b7a5bb44355fc085f6164c6da4b6a37f4d2c78d0d03438fa
-
SSDEEP
12288:SvA5ZamuBeqK2Un6lexMyIkw8aQASulUxwJDL3W9hLGA1Bge3KQjG:SvcZaxBRHUn6lexty8usYm9MAImjG
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4788 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4788 EXCEL.EXE 4788 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE 4788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4788 wrote to memory of 3924 4788 EXCEL.EXE 101 PID 4788 wrote to memory of 3924 4788 EXCEL.EXE 101
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\db31dc2379e6ab0f23282ebc765d898b157132d44e6983b295d196d3d5482683.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4048