Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 01:04

General

  • Target

    240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam

  • Size

    617KB

  • MD5

    ad305741c0274f5e03b82e3064f734ca

  • SHA1

    503def7a04cff86b7e2aedc69cdfe8c02b7e3a6f

  • SHA256

    240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81

  • SHA512

    46ce5ead793596693f2d73653a216fc9384bcf03933ffafb1ca850ced34e02776ab77adae88d618fca1099e743ffa3817165904a7cc32f2cc3888324d0644549

  • SSDEEP

    12288:82NJM8dx21qVNeT9XV1PQy1MWSAtyPfOSwUnbHJZLT+4fxaJDD7fLNXqxE38c/bP:DH720TwlSy17SRHSUbpZfvf2t3/bBYve

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\240db31fca0f94f85b17fe7d3ab4096acc1f7d7902e0d8ef8bec91cb4600eb81.xlam"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRRJKL5G63X3J5XINGGJ.temp

    Filesize

    1KB

    MD5

    92309f511fe8a21233147b3e579b9ac2

    SHA1

    6eda551d18d15abbd1e15a357ce15459040c3afe

    SHA256

    87597a63a931e8109831407975279ff9c1e5ef4bf679b8a41d49203e9181d3e4

    SHA512

    4c4e12c0bdc3ae66734ae990a7b69f531826426c15370045ce5842298201d003ceaa4674ff5742a24620ba90937dce1f373171b1e7ca0dc58cf6045bbf230e9a

  • memory/1544-6-0x00007FF9DA1B0000-0x00007FF9DA1C0000-memory.dmp

    Filesize

    64KB

  • memory/1544-2-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-4-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-1-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-5-0x00007FFA1A1B0000-0x00007FFA1A1D2000-memory.dmp

    Filesize

    136KB

  • memory/1544-0-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-7-0x00007FF9DA1B0000-0x00007FF9DA1C0000-memory.dmp

    Filesize

    64KB

  • memory/1544-3-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-25-0x00007FFA1A1B0000-0x00007FFA1A1D2000-memory.dmp

    Filesize

    136KB

  • memory/1544-44-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-43-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-42-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB

  • memory/1544-45-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

    Filesize

    64KB