Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam
Resource
win10v2004-20240802-en
General
-
Target
240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam
-
Size
617KB
-
MD5
ad305741c0274f5e03b82e3064f734ca
-
SHA1
503def7a04cff86b7e2aedc69cdfe8c02b7e3a6f
-
SHA256
240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81
-
SHA512
46ce5ead793596693f2d73653a216fc9384bcf03933ffafb1ca850ced34e02776ab77adae88d618fca1099e743ffa3817165904a7cc32f2cc3888324d0644549
-
SSDEEP
12288:82NJM8dx21qVNeT9XV1PQy1MWSAtyPfOSwUnbHJZLT+4fxaJDD7fLNXqxE38c/bP:DH720TwlSy17SRHSUbpZfvf2t3/bBYve
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1544 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRRJKL5G63X3J5XINGGJ.temp
Filesize1KB
MD592309f511fe8a21233147b3e579b9ac2
SHA16eda551d18d15abbd1e15a357ce15459040c3afe
SHA25687597a63a931e8109831407975279ff9c1e5ef4bf679b8a41d49203e9181d3e4
SHA5124c4e12c0bdc3ae66734ae990a7b69f531826426c15370045ce5842298201d003ceaa4674ff5742a24620ba90937dce1f373171b1e7ca0dc58cf6045bbf230e9a