Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
Order2354.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Order2354.xls
Resource
win10v2004-20240508-en
General
-
Target
Order2354.xls
-
Size
654KB
-
MD5
0ea2f1e95f1c8a1917bb34a722cf78e8
-
SHA1
4721806e7503fcb6a630697bc348e53074a22fa2
-
SHA256
114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7
-
SHA512
9a5b836d188bf1bc8f210560492475017f2f23577a708acd82af3f0ada2446690653e4e08c1f0908306aaabd5a53f741f8987ed76bcbc00f4786784c6f5d9de8
-
SSDEEP
12288:/kTCQ5HK3hrUP/qPQZR8MxAm/S/xQE1A73DbFWgc4zkiVhPkLyH8gq1N:OCQ5HKRrUP/mMxCaE1GFWgJkChkqPK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1216 EXCEL.EXE 1684 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1684 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1684 WINWORD.EXE 1684 WINWORD.EXE 1684 WINWORD.EXE 1684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3188 1684 WINWORD.EXE 98 PID 1684 wrote to memory of 3188 1684 WINWORD.EXE 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order2354.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1216
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:81⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD57c0669e6df38dff7b7019bb4eed41e99
SHA172e3db82fcbf67d6c421455de61df7b51f65dcb8
SHA2561ac809efcd227440a10b4842e2ea1765f85dc8042b41f4e0de29b7cfa5197992
SHA512e1a6e93fe372925d238cf1f487efe094d2c4a254faa432551ee4ee49b96a07a6a2ba257b698c103dbd08d4d9133d1ef24eb55dbb9c7adbbb048836e4d794dd2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ed396397a972988508b15995c9219155
SHA12ff5859d49b01a0a6ba5f3e75a79dce64d8abfd8
SHA256acafbcb6aaadcac80531a4386d8f9a74cca05ba923fc5232429fb7fc16cae2bf
SHA512ebecbca469140e00e00462765c8ec97ebc536fe300350e17e25ce4efca0e42751b34a0fd16b1c74f57eb57fef1d127042da7786f6a8801e1cf1b1ad3b4ded223
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5b805459027be9a105b3e70a9045d2a0a
SHA1b98fa6d450197ae5ff4e0c9d6e72527cc8808e6d
SHA256043a415dadfb77a418b80c7b0c3261376adaa57906c11cf8fd3b4577c94e5eb9
SHA512b5c3028ff5ffb25c4cb3272ff11fd74f50cb872747733a2e7df3e5627498b1be51b50e3c24fc4c73668b9583e7625641a012801d8b266e6db68d6a01fbff27a9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FEFE615E-613F-4058-B2C6-F6EF9F0984F3
Filesize160KB
MD5ef78bc63fb2013cfdd0cfa26d3070604
SHA1b034a99e05e13a7ba415b52f0d8a5dcbc2b78e10
SHA256264d2b9ac3a427c30f3295ad8eda4e902dbd92a7f8e18cd629e418d30a91d108
SHA5121fb031c5901f095a9ea01d55b348052fe40da0ced580d44fa37064c2571520b806e051e6490c0b4575f14a7efc06988a75ce09ece8df97f569d61954d1606910
-
Filesize
21KB
MD5a4d91cc7584c23ce5c15af2d2a00035e
SHA17b39f757b559c0a22d8b3a8ee27fbee012f71841
SHA2560194b9110619284e35751a33abe6d54d2c0deaa26c9270c5d51d16345322a302
SHA512375d8dc14c60d24fcb91b6c111c58529acfab105e4724b3eda4415b312ce06cc1ddd86f51827e08ee64bfc0e542c01233fe693a114f8943ce12bf56215932d17
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51d1d090eee564b48e8edaabf7df18dfa
SHA15acc2385b2c4eaba2636a2d9e3fb3366518d72d1
SHA2560700e59b48228d644bea21b2f8b0149c1fb8fac6a702ca1e8abef8d9e66a295b
SHA512cba995e8f6e9020bf7660565dd9f5cb7e0818792b29d47da3c4aff3099d6853ea87f70d5bba4f2fb34a8e2cb7ab8a180022cd24c106a934fdb223040c69510a6
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57761c021e26057947142561b8baf0214
SHA1ce6afcfd03e6f8335b42844447d6c0f33d63c0a6
SHA256f6f7b7614caa007e4a1d9abd61da9115e80ee0ccd1cc5b3fbe9198809af71145
SHA512966cf1c33e7aaf4638be7cec1346f1de86728c06a85061841a22afe9cbc2311645cc00509fd934b61ebcb53104a441a08e9987ca5d60ab38308b9feef1596980
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\beautifulroseflowerwanttogetinhandbecauseitsgreatthingshandbeautiuflthingshappenedtogetback___beautiuflflowers[1].doc
Filesize63KB
MD57a7b11bbe3d337c74805c519c22601c0
SHA14b680f33a5d1f26934429bb7dff11b8b3f6ea0f8
SHA2563f6bd3440b27d64b41ff2902d7b35c1105b7dc026e834755a1b44f63b5da965e
SHA512c637d681ff8f7e00c74291bf38835ada5d4c074d62f9d5a12ceed7b4ec540f21e05dc89469664af08d7a68040e5d0646e1f13669ddec965812ce9eeb78975302
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
229B
MD55db91e83608ae891debab17c5f65f6f2
SHA1d016ab90b358325483f8afe4173071094b858f4c
SHA256f88360415fd97c4df31fcf259e9264b138fc825d7a4e68e25e1cf3b3b018f8c2
SHA5126801e217d58c24674bbaddb15f3d1da28f21c19191e16aae2c3a33ef634c8a65c9370d55f1542c8567aafd975fc4f6775a1d39eba49ec104d5d79601ff0330db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52c57da0296abfd041f6c3a88b5ae5a4d
SHA13be142b25c981dbea3b88a5ed2bc95ff9267a49f
SHA25626baeea758ea2e0ae35c58ef799cc631afef96ead1ecdf8e19c1abaab03821fe
SHA5124900d3d8ccd14679be1e31403d3403a6a4662a5090b268ec9077c673e61d3de645ed2ee5cf0c7173864c1652083db695d349d0ab5bd4796784391194d543e4c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5d66bd4c5582bf47f314ef0531660a268
SHA13703520cb6d835f2cb499fd87bcce83b502a1cd2
SHA2565204b2f60b1ef3c649b846d85129671a84c2ac43f435d0a2647e335871972d9d
SHA512e5f420d86a86120c3f98a810e7026a448a4ecdaeda35b1aaa38932159b5a900d4f18bd267f2455fb1e53016fb7aed15bf9d9ceba1d5043a04f3a843410089c6e