Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 21:38
Behavioral task
behavioral1
Sample
8eda1e1ab934deb09c2c3e0b27ea55029c0ef6fcdcc404ff5686cdb7189dd4cd.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8eda1e1ab934deb09c2c3e0b27ea55029c0ef6fcdcc404ff5686cdb7189dd4cd.xls
Resource
win10v2004-20240802-en
General
-
Target
8eda1e1ab934deb09c2c3e0b27ea55029c0ef6fcdcc404ff5686cdb7189dd4cd.xls
-
Size
298KB
-
MD5
a11a448d9c16bd394d367d3a2f062623
-
SHA1
7ba84974cbfe4f9bf0b5d7af9cd1175ea589d048
-
SHA256
8eda1e1ab934deb09c2c3e0b27ea55029c0ef6fcdcc404ff5686cdb7189dd4cd
-
SHA512
e4234640c9cc6fff66493c32eef21184e697cd11571ce75b97dfcd4e11bbab7ec5a11a4c7a7c6ec6d064b4a6daad7e163f9626b2efc69695229b363275f422d7
-
SSDEEP
6144:+aEk3hOdsylKlgryzc4bNhZF+E+//gEDWTOI2CKMMiXn6xpK0J7dToItHQ/ePbA7:+a6W6xpK09dE
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://3azu.taobao.com" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3500 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8eda1e1ab934deb09c2c3e0b27ea55029c0ef6fcdcc404ff5686cdb7189dd4cd.xls"1⤵
- Disables RegEdit via registry modification
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer start page
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD563a99f0138b8b8db9b1ea7c49bf4b9fb
SHA120f81df4d9b710d478974e64c3f00f27504b454c
SHA256516eb4fe006dadc0cc6074a99a6cf572e6141766335f8198b00a0067d512ac1f
SHA512c894d763c1b772a3fcc89683f3ce7c142069106efafaad39ba98f9368a7b79310f541d6fe1aceafee7d6272df75eae2879a5d426bbaebda299a1c5e5a08b25c5
-
Filesize
396B
MD5bfbe503c649981816e845da77cb6c153
SHA193c3b1fc35df7410d97bb370c492af152b7e5574
SHA2561396da01f8f02383b39694cc15dbd96e7964deb4c6625e3d6481ef0382cc722e
SHA5125f8d729ecde75b3e00fb58910223555317ecf6525cf3f9239e74aaad2dbd927917ff927df76b0e29ab37a18cda39529cb6743e39d8570f380754622f1633db38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5716290d3fe59aa1db196efcfbdee9e20
SHA1bc4d79fcc1c90bc60250f3441d1538c2a8c6a05b
SHA2565cb617510ac5d787b0646a3d7a0d657ba88cb3b82ea54edbe6ae5afe10534a9a
SHA51287c0b1ebf6b13f50b2df5b3712b4da80f86940e4e956ac5688a25bafc5c4a546e25148ffc6e5c536038fc1c5d27c42f32001d6f847189d89de2b7a7529338036