Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
Resource
win10v2004-20240611-en
General
-
Target
2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
-
Size
973KB
-
MD5
08d16f26dc58a3565b478a5ef975e844
-
SHA1
c47387a591bb42c39a43f90e30ef26e8726d8ca4
-
SHA256
060da027a490aacf135d894ecf1f158568af1257d4003716cd93d416fa8f508d
-
SHA512
be279977d3f916fd06097f0ab8d66d9380f0358ba40841bbc8c1a0c441a32f8b81ea82c7138a7b25e8f91cecc6732ccaef984a0ea3a74efeb9fd1c2045bd70c3
-
SSDEEP
12288:TEMdFhqCSBFbYJ3Kev5ZGbJMo4iP9HA8BuXvKBfFUl9v1RQ3l16WGZeo5iokzhVv:gMp+7YJ3KcQ5IiBurvHQVoWG0Pv
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2620 3056 DW20.EXE 27 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3056 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 EXCEL.EXE 3056 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3056 EXCEL.EXE 3056 EXCEL.EXE 3056 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 3056 wrote to memory of 2620 3056 EXCEL.EXE 28 PID 2620 wrote to memory of 2628 2620 DW20.EXE 29 PID 2620 wrote to memory of 2628 2620 DW20.EXE 29 PID 2620 wrote to memory of 2628 2620 DW20.EXE 29 PID 2620 wrote to memory of 2628 2620 DW20.EXE 29
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 9322⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 9323⤵PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524B
MD57fb9b4f50d0cc416f72d5bef17025e49
SHA1ec64b90173fda99b7552d2cf3c51803500216e0c
SHA256477707bf7f1eeb65c47b9a76a92b622f50cce464f790e8b55aa7126c1c2652a3
SHA51265dd84e67548715d490f2222169beb118e963a56f12913472f7196e5505caab490c7ca76c2f0e4c62f9d4b4f5392cd3969d81eb5f6c250c7f8497b90a5a8e612