Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
249s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
DANFOSS C-N FLATBAR.xlsx
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DANFOSS C-N FLATBAR.xlsx
Resource
win10v2004-20240226-en
General
-
Target
DANFOSS C-N FLATBAR.xlsx
-
Size
37KB
-
MD5
b3fd1101345a478f3163c9d4eceb2c9f
-
SHA1
41c86648d75c71257e9bbc5f5e213c85c711a79f
-
SHA256
df67a20966375f72518cd2e188873904f33c9bd254e51569ae252bb61aee6312
-
SHA512
d20bfa7dceb26e820302a9abffd3ed3ed8ed228b8f5ecfed7a104ffa6f5a1dc27107156fd7fa3022236c7b1c9345c722f956a242a30ca95f883bb41ee6bdc354
-
SSDEEP
768:uYLAbYtCmONKrIJ7uO9GXC/4I6vBaDml5+bJKYLFAhK:e8tCmVrC7uO93/4VrmFAhK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4076 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4076 EXCEL.EXE 4076 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE 4076 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4076 wrote to memory of 4616 4076 EXCEL.EXE 94 PID 4076 wrote to memory of 4616 4076 EXCEL.EXE 94
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DANFOSS C-N FLATBAR.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4616
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:1124