Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
Sipariş onayı.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Sipariş onayı.xls
Resource
win10v2004-20240704-en
General
-
Target
Sipariş onayı.xls
-
Size
1.1MB
-
MD5
94d52f7b132f459b88ba2b9c6ed076cb
-
SHA1
6970a28538c35aa1c20b32a855e40c85842025d7
-
SHA256
57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e
-
SHA512
c8a18dab02481a7d226d9d3a71b38087e3406e089051995c1be66e49dcb5b715212ab3eb8a36fe7925a32cb79d6baa98ba0ed2cdb8ea5803d5c1e5fe80b8b594
-
SSDEEP
24576:48q+k+xbyN3g3yBO128OA2BFzfOSr4hBBzcIPuV8rv4zBkS3QHVO:dq+k+yOUJvSSr4N4IzvT+QH
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1920 EXCEL.EXE 1648 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1648 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1920 EXCEL.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2312 1648 WINWORD.EXE 88 PID 1648 wrote to memory of 2312 1648 WINWORD.EXE 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Sipariş onayı.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1920
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2312
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b5cb610c294a6618c6043081054508f0
SHA15751c85ee092b7c30c93b1f1ea2baf890bd99d4a
SHA2568040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef
SHA512314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5f134071cf1c013ec1715fc7e82482c2c
SHA17cd764a5c56d94a317eb7fea0920a17da7d63235
SHA256d1af1594e1e75a9783ed475e5dfb46df5bf3df0ee6b1495bbda19cde27298e58
SHA5123052060a35a49ac56ca1be31ef2bd522337cf4bf73c66f58fbe7a1c7e30a7220dfd714ee5df3bd24c538374ca103719482eaf6260eb33a29332c4ba4cf06ed5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD57f27ebed4efece6c8ccabcb152f3e922
SHA1dc5ce5d50ce4e4ccc89512ffa60ba4512abc1479
SHA2564b6ab5e876175d2beb5ba452d3f1361e9fcfa83d62033c7c5e5c1ab4202eab73
SHA5128eb1b4bb80c139c60968b6e91f17773d702b2af85f0edaa494b3b9b4a9a67d344a5b9a564b0c54746d076bc9e154c7acaa149f8d03ca4e09ed4f0e9d5d24c0b3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\68353CEE-0857-48DC-9632-6CB67E009DEA
Filesize168KB
MD5932191e687887d41a0c7cba1bb90f060
SHA1c997f4c66de243c5db8b9826b558050f4932eca4
SHA2566d74296aa409d68c2ebee62286aca8363cc6fab72995baccbf0ad53040d279b0
SHA51280c8d89adc2667ec92dc6dbb533ec72db954b456478b36ae735ca737133cdd7b3ef6d2c8956b6df113668df80277cec76ce11270d1078e3cea1e87214044ad4e
-
Filesize
8KB
MD50cf71203a729b2ec262775d1b31023e5
SHA19c88981f1c88b034cb5de048ce911563b06b4415
SHA256cedc2f099a8320e1969ca9fc36b3fa1e575ca24c4f75b8570182ac925cc926cc
SHA5124f851136e3f02313e14dd29c3c03bd3cae21c87727cb8a1c200e9aaf44ce9c82148968999f0c405db31bcbe7502d3fce09f3ade14d94654938e4d8883a5dfafb
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5f941199c50d6498cb461de02089f8ac5
SHA1f48f10ab32939db35cdddac1decd3da4733bb167
SHA2568168c0b64ae19356c3bcb69c15aedbbae9623a7d68eb19418b94f3bddcccb1ad
SHA512d80efb129553fa442f69eaaa7b1a4050bd7c116dbff4e3176014f012fc0b9ccc39754b2bc21525041a92e52660fb771927b5816bffb85c0d82ec072290d4ade0
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e645a0cb0d33b355c96ef529e03b733d
SHA13678c74cb562c1104d0c8d907b7a8ca1498b79e8
SHA256073c4f577374db464efb4fe25fe1cfa0d95a60b0a82a413deb5c13333a60c92f
SHA5128a12c316adef3179d7cab9a4540945fc7202261bbe921f246dc0294ca9cb817594f83984c914c86913eab5843c72961ce49da020f9e06afbcd747670b62cba7a
-
Filesize
221KB
MD5dec81947f9c288a6337b7eb4b8dec580
SHA1587afe240a9013b8a6fd0d2a574f2ce814fd40b3
SHA256008c8d4399750dba2733ce354ec97453535e8f00d293368a46c6e5514ebde20f
SHA512ca82e253009b29a6f2ad7143818c0a4209c56d3bb1aa01f70532a6a1c111399c3acf5b791cb4913fe94430013a0b7b377fb7f4ed65a60d14e60f7fa216006bbc
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
335B
MD554864202aa05f27bbf5ebc31e6885152
SHA1616f74e3271020045074d8e86f0e7e4fff2df4ca
SHA25672bf405cd75be73e9d02fbb62161b01b32928be5c9f323c9ca93389c52bbdd87
SHA512f190d1d92e2f4fb906793a2f5ae86120495dda607ea4f392c699c828404c10cff85e7ff02c20b959ed457c1e46c2486a3e06e0441c201a56b7a08b9df5890342
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5bfd07c8c6dbba55089796f053384633e
SHA1c1daaeb863687045023cabb5b58fdf33bc42ce68
SHA256371538de6c6341cfd33c49fa791b40e80079a304b354af1c17eb92909738bba7
SHA512106fa2a72025228138be2aa7dc53490d702dc22854bc0698cb7f4860729b77cb2af9402356e7bb4811f7c1c463eb6ac2789283bb5abd11fef23c915fe2912e17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD503bc20fca8ef0ec3cb95ee2915d4cf2a
SHA1d38ff23d9e6719b996a1ec1275f6fb98976e117a
SHA25640dcb5d9bfefe0acd0cf0e77fd839a1d888c619a8edf97a27cc3199224a681fb
SHA51290740b251a8a5500754582c7ad59dfd813deed18292214498c4eee6c313c65268b62e7d31173c8c7b60f408a285f858089affd2c4ec15ab59efd7832b300025f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize677B
MD5bbce81eaf1c53adf2fca06e55e2457a8
SHA102286025c776455aa9a350e7a5b415001b091320
SHA256265e0dc7bf15b6c022471f3ea6945fe7282a2fa3e5c113e3633757a24812517a
SHA512c5aceaefa9d861110fa4a4702aefb832523b2e911a6ce9f7c7e00be5ddc48c582aa14a02cf2364f65715a0a9b7760b6ff1405df884593a945d68edd514bb060e