Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
9s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 21:17
Behavioral task
behavioral1
Sample
4adf965b85323cb1ff9224ffdd076d53db4da02987dc29269525d630245dc12a.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4adf965b85323cb1ff9224ffdd076d53db4da02987dc29269525d630245dc12a.xls
Resource
win10v2004-20240802-en
General
-
Target
4adf965b85323cb1ff9224ffdd076d53db4da02987dc29269525d630245dc12a.xls
-
Size
1.2MB
-
MD5
f3274d014851e6b44e0564cb13264cbe
-
SHA1
80303483a7a7b6735a7330a3061f0e3ef212c216
-
SHA256
4adf965b85323cb1ff9224ffdd076d53db4da02987dc29269525d630245dc12a
-
SHA512
85c734b41c8a740dc82f830a14fbdeda8ee110af730aad01ab6c306a73b2f1dc552a58d39bc778e93ca0cbb589ed03611267b2b9abcacd2246c51488c6a6b802
-
SSDEEP
24576:/61wqQz5CIuVhDV9GPOVuux0SG0RKD8Uhgs:/+0AIuTDG6x0Se
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4484 rad901C0.exe 4684 netbtugc.exe -
Loads dropped DLL 2 IoCs
pid Process 2508 EXCEL.EXE 4484 rad901C0.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 netbtugc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rad901C0.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2508 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4684 netbtugc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2508 EXCEL.EXE 2508 EXCEL.EXE 2508 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2508 wrote to memory of 4484 2508 EXCEL.EXE 30 PID 2508 wrote to memory of 4484 2508 EXCEL.EXE 30 PID 2508 wrote to memory of 4484 2508 EXCEL.EXE 30 PID 2508 wrote to memory of 4484 2508 EXCEL.EXE 30 PID 4484 wrote to memory of 4684 4484 rad901C0.exe 31 PID 4484 wrote to memory of 4684 4484 rad901C0.exe 31 PID 4484 wrote to memory of 4684 4484 rad901C0.exe 31 PID 4484 wrote to memory of 4684 4484 rad901C0.exe 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4adf965b85323cb1ff9224ffdd076d53db4da02987dc29269525d630245dc12a.xls1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\rad901C0.exe"C:\Users\Admin\AppData\Local\Temp\rad901C0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Roaming\{15705dbe-a36c-44fc-ab26-062f0c296290}\netbtugc.exe"C:\Users\Admin\AppData\Roaming\{15705dbe-a36c-44fc-ab26-062f0c296290}\netbtugc.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5bdb501a004fea9db913551b41a3ea485
SHA1e3a7074a6986ed85789957627b7f794dff727732
SHA2565b7a23853a0f2617e0b8039816bf4040845554c16b8ad15f25202a3cf56f7211
SHA5124ad2ff5fed113d4637498d6c164529b644a7d4080fba7e5e8c22279305e5f207e0347baff2282687e67bac30e1c8bf50d7c461e302462c231935915a9b145353
-
Filesize
254KB
MD5e3b7d39be5e821b59636d0fe7c2944cc
SHA100479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA5128f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5