Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
new.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
new.xls
Resource
win10v2004-20240412-en
General
-
Target
new.xls
-
Size
162KB
-
MD5
3656be2ecdf6e61566462ef1488090ad
-
SHA1
09de9cf6875a005f44bed96ed5ef95903b1c79ef
-
SHA256
7ae95a8a8acbb5edb84c2972ac93b61f525c74d9731d2d72af88e53a40faf01e
-
SHA512
c7c4fad2497ed78611a557d93460b3069fe53e79fbb7da03e5b7468dc607e2a9fa608a1e380e0ad5e0794094daef4df00114d85a0485a17d9cda0f27535bd9f3
-
SSDEEP
3072:AXkJAg15J68xcYy/iCkku4+CyX4l9WGodWRtFxNP8l4eXa0H1G:AXunJ1cYy/ElCwW9zodWtF0l4en
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4060 EXCEL.EXE 3676 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3676 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 4060 EXCEL.EXE 3676 WINWORD.EXE 3676 WINWORD.EXE 3676 WINWORD.EXE 3676 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3676 wrote to memory of 3588 3676 WINWORD.EXE 95 PID 3676 wrote to memory of 3588 3676 WINWORD.EXE 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\new.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3588
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD58a19e2f05bb9c727f7fb24ef7e6541e7
SHA1fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db
SHA2567eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f
SHA51282b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD54c33b64c6ceb038818f762a7e07516db
SHA14ae2c6b62c074fd75395f53ce58993f0c4ae7a5f
SHA256ae4e33c14460f69d9d39cf14ad4f3432a6c2f8ead8dcf0937f3b740fbc3fb1b2
SHA5122028c609a5c81e91b5a5cbbfda2600790fc8a81a41cfbb63dda3db6ca49a4aad50d92e776eb13fad373231aacfe30d7112ce04f3d09d9dcd99d8eaf4896d1442
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD575a4f2d94e10977a688e0a99cb474661
SHA1af4182d534ec443cdad19b69ea421ad5c1aff1a1
SHA256c3ad587b86b4b284ae0f7e16a599511f6cf7ec321cc17fd3a97ad4912c9887b3
SHA51273cc18f3fb8f7028ed9140284a4c7277592ed3ae6893312a9550e7b8b5083e2310d252a442ca93f8bee1521990299bb056196644088eee4bcbfe82df509cde55
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DCA20228-7853-4388-927A-C5DE3AA3B0AD
Filesize160KB
MD5774fea600a7f9aa4dfe1119ee41c54a3
SHA1c7cf2ce89c8ed271c8c996182c5546f2c2750837
SHA256da39378b814b5beb9931c8ddc62f2296be40440e3f1baa8ca7fbfc460c5cb9d7
SHA51223887008ed5dddd21e0ed115974507c6c3fb6b4cd85f557c37c20ebedc84b39c11113079dc8e1ee09e5b427d5f6606ca276dbfbacbf9faa235fc8f55b90b1ae3
-
Filesize
21KB
MD50a360b0454c5559fac202686f082799e
SHA1bd7f567b565138753d6f8a575a62837db07bad9e
SHA25695ede811a3750370eba1960c4e6a665efb1e0bdc5d20ab5bc9f35502e80a0fcd
SHA5121cadaa61c8f7888e9d7901f809ef46461de5101d461617823b02786ba21672dceb11f901e86fde6a8dae04f662166bf49185f797d9682560f389452d99304b8b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5039f766bd5f55ad50fcf58a646ca3b95
SHA1b1fadc99f1bf613cbfc440388775ff608ddd3989
SHA256deb98d5535f4b71eb542e276269ed38151e8a7cb18be99fdad9d3ce134828e32
SHA51209a31018b8fec1ada5e0ccd0899b5c8d7be99d3d86917cf719fb4516f7b8a2ab8d2d56495c843461be91ee510f0438c7967e7bcec7a5fb3ba8ed71d53c4360e1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5f735b12374d5a8f39b19b58b27d4ce85
SHA189a6572806bd3acd94028a1ef6d52fbb6c7ecf2b
SHA2563dc22f168f8ba933d2fac7c816d9c22a0beb86f8092780785c9179709db88d2b
SHA512d7aae610f51886e12d4057c97a5d7a281d1c4dc649d1233b4c79af344955dbdc1d72f14ec4ee8cbdea1406f67ed15331c014c7a7d90aad4f0d22b1f7b59a5e07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6O2ZN5Q\needfreshlovequotestotakeyouininterestedkisserloverwhohavesuchamemorytoloveherkisshertrulyfor__sheisbeautifulgirl[1].doc
Filesize65KB
MD5c7d0967e4b8c8a0a1309e97d549b828d
SHA161cd7eb2ee3b0e0664b5efd753a342c5a2ceb7fd
SHA2563d9744bfdd9d8e6dc31dd3f8b6485a0acb76d96dc0dd121248e29a3d975b600f
SHA51282eedbf550f28b70a3c6b59c3bdaa7f7d70e6d52acb361a98512e10db230cd16b507b72545210daba2843c8105b921c02cd9919be8534529884b62233684e1b5
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
230B
MD533298c71f174064ede2380615786154e
SHA1de5ac6b2b0b6bf748076492bbd21cb6322d3e8c2
SHA256b65f0d80131a41005571e2f3ad7eb36e25ee182efbee1b40a4a9fb5d05614045
SHA512fc3214db1cbec361d11e8d0f551587465e9e072e314cad1cec521f2ec94c84f97e83d696953989075398bacae7830fc5b0ba88d332eafef6b41a0eeb4225d539
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5b1cb7055538bec8d591a886526b2b4b1
SHA12c3ad64e86648a40959707f9561e2b5d639bbcc2
SHA256194e8513ea81ded128b4cf2a042ec346d0a7cf535c52a468dc6e7d77ca27af4d
SHA512d8b40308813248cddaf84feb151aa033d3121dfec3b7b7edf92f1960b11d546d98475eb67af1f932c0ad87aa05c2691bf932f7949b722a60e9ab52707282ba79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD534a8bf869faf9797842575638a7e3b47
SHA189e57689b21e2a030d3c34ff0d83d004c5fb7777
SHA2562672f9d7499476a4429fdab046d9fb6f711ac50e348bac745aa96b801aae34ce
SHA512a8abeac988b41a75d2bb8a9b79cd6c7e4036ddda80f6ba829d19145c51e81077cba5b12439b92e8aa2c24cc76a926712ffe5131b7303494e64a305da9170c228