Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
gmb.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
gmb.xls
Resource
win10v2004-20240412-en
General
-
Target
gmb.xls
-
Size
317KB
-
MD5
37d7ed40a42e26fbc230b8ba27f5e7a7
-
SHA1
e1bbcb647ab9a9997d5efcc1c9dccb0d6ae44fd2
-
SHA256
65fad97c98ab775a18d96e3ddbfd291500d23f856bde32bdab3fb2417560dacc
-
SHA512
3be9673b330b95c7c52d1328f50443821852f8e0471014338b066bbbedef302da7eaa7601d09ef507dd7e9d67ef7d8fd166f4e0c40b0f93942e46328237acfc3
-
SSDEEP
6144:EVunJE2uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVYjMIrSdsLks3Azpt6Tf:E4JE2n3bVYjMIrSkkt86KWriT
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3788 1060 MsoSync.exe 90 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2424 EXCEL.EXE 1060 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1060 wrote to memory of 4484 1060 WINWORD.EXE 92 PID 1060 wrote to memory of 4484 1060 WINWORD.EXE 92 PID 1060 wrote to memory of 3788 1060 WINWORD.EXE 95 PID 1060 wrote to memory of 3788 1060 WINWORD.EXE 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\gmb.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2424
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4484
-
-
C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"2⤵
- Process spawned unexpected child process
PID:3788
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5ad5aefd69c456466e97a0aa256aaaa4f
SHA12c4e9fd8897a0c4f78cf3610334cb24a51ec18cd
SHA25673ae9fec50a02b16ba846791482d056e0e1364f346d9bc2168c6836b4abec210
SHA512f3be0bc26313215477431b6ed242990195e343608858ddfa398a05e99d033eefaa5f66bd4fb6a4e04ad6453062c87c8e49b92698c2a44f5145844597a9ca5a40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5c32573bbc470ca4b90e0a379f07d77b9
SHA14f4ef2bc3367fe4e00bad99e39b09f08477d1a0a
SHA256cfed93a95891bb1254c125d8573eea655b87ea72a6eddd4e408e12d0d9902d40
SHA5127e51463d428c11f49e7d7f820efcd27e39607cae5ca1ec7d93227219dbe54afd3a035278cb4518afc283bfea3fcbdd802fbdb6fb0f3efec43abc9f877feb1520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD55233ca8057ade82b5275bb1020a1945a
SHA18d62387bc2ee9652e6f183b9a5096b2269f6f915
SHA2569919d9f98d1d31258d6dfe1695868e065d6aca48a39b4d35fc0c50809706f3a0
SHA512e133eb0532deafba13822ee9a0bb9bca3fcf32f97d226b47cfb00000cdc2154a78cc419dc62b517ee616c40ff68a6cecf1c3139f9d0563cc910c902ae5585d71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD576845622a4dd5718568628df849bdd4c
SHA1d3b839347cea8e6ec775617485e4ec98cde2f5db
SHA25668fb84d26e28cf8f4c755620b2623897bed88fbe3847d1b71000065ea5638727
SHA5122b2d3f784e0afc5ad8d6a332be1972dc470ae04318bb29ff04fb257c6fa7faf1b1f5ff01fe8b09353fe7774d06e5b2343fbe9d81bacd56368a690dc892441a49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD511f02e4b4a4a212d040da1b0d95f27af
SHA18c039af75bfda3bca61e529003dd15911d5fdb71
SHA256988196385806809e030d938b5d91ff920178cafbb4c495fc70349e827034fb83
SHA5127bbab6b846d8d5fc225b0b62ebade76efc4d91a543386fc60736c5f42e2cc7fb4e9e85f6578d7ec798d9ab08aecfb34402debe310ed6de7bdd29eb766b615c9d
-
Filesize
21KB
MD5aac21b4dc64b21d79a9721d58d09354a
SHA1f735303394129715fd97538cb703b9a8559ad662
SHA256e9f65a2acda4511791614e7352a489b9050f50fb8a3448380ae610f17f420551
SHA512122dceb6d0a41bee67c8c743568bccd612fe38c3b28aa1effb39fddb0923649ebe6bea03dbcc40138af0024d7957f6a794c5fca3676d51fd9472fff3a809ea43
-
Filesize
68KB
MD57a1d6c5ef0b63d38df276c570b23412f
SHA17dc88b0d1889f550f008b74fa7e543b1364b4523
SHA2565272e9bd0cf7a0c6067b5480d1e49bb993ced502cbd430fe65b53ef9dd14c2bd
SHA5125e25a28d033c0b8bbb3901c5c071529af4b5ddd438df30ab0928654de896884ca9b0a81f4ad462a212c5366627fc5ff3a7d142562d459165960d5f15de2e8ee2
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
230B
MD50ce6e2d8b22d3709ecd9c5c4dfc4f5bd
SHA1067e0430a3001d1af8303f3586509f01c8ce3b4f
SHA2563bc3c6888f23e43ef7580dbdc60173a5542189ccd1c2fb9123ae76f531910b14
SHA51203fd69667a8888939a9d3e279907133a3f502919c43a1807b44618f6d558ad3f6492046bbb855ce3793f96e002b822df674c8bbd79ce5b604972dcd3c9f10b12
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5a6715f2687ddeefc4596a4036bf08eb1
SHA17e8450140a8a85e621b2d2f1f494f294dbfeeea1
SHA25647870ac4fdbf9ced54175d7041d5d61bfd9531e71c2a821a76474016b2fdecaf
SHA5125626a144e55884715759f819392361cd4bb4581c6571f90e64acd8e7c2b73dbb0599c9ac93f52b745aa9b3e16ce0d4662a04e8a003f1d515cc7d201e29ada127
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a27e36f6e594f90c57aae06c52289832
SHA1912c574327943474b00495a2a17d43be863a4ffc
SHA256bf1dfae7c72baaa36d3c8b6453a86708ca2d4932b8bdd0ea0f87bd7656a4768d
SHA512f1a0ff661496d8593c7c675909c366a166f0ed58f672f0fa4f0db9b5ba44f86773765769c017dfb849b8ce0478669d6b5fd90fce51bdb9ee5c473b96a38523da