Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 21:29
Behavioral task
behavioral1
Sample
488927ff767040cef8ef81316f8f0079aebd655a020eb33e9277f927ef398831.xlsm
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
488927ff767040cef8ef81316f8f0079aebd655a020eb33e9277f927ef398831.xlsm
Resource
win10v2004-20240508-en
General
-
Target
488927ff767040cef8ef81316f8f0079aebd655a020eb33e9277f927ef398831.xlsm
-
Size
92KB
-
MD5
62c562acdd113004974171eb38ed3248
-
SHA1
f94daa0e6deb1c5506bee8e13f35655c9d69336b
-
SHA256
488927ff767040cef8ef81316f8f0079aebd655a020eb33e9277f927ef398831
-
SHA512
8870cb198d2b969122101c335998aa6b00f9938381ca7a82f576526ced2a2f43b55a65cd2054e0f2823ba9af431412c37740e923d8a5f35d3d74adda3d4e8b76
-
SSDEEP
1536:CguZCa6S5khUI+0+aMbdcB4znOSjhLM+vGa/M1NIpPkUlB7583fjncFYIIn5FN:Cgugapkhl+0+aM2aPjpM+d/Ms8ULavLl
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3256 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3256 EXCEL.EXE 3256 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\488927ff767040cef8ef81316f8f0079aebd655a020eb33e9277f927ef398831.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3256