Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 07:00
Behavioral task
behavioral1
Sample
9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls
-
Size
786KB
-
MD5
9d6073aed037108448c90e5495969ebd
-
SHA1
f8fa3a86d5ef21b0a12b7b379de4cff074790f48
-
SHA256
0b18ec92065020e7de0e0508299743783aac3df5d97bdfacb5cbc2118a9a336b
-
SHA512
a830ebfcfc979491174e086a4b738937f5e5ef7872e35728a84c9a1e44d49124a9bf060518df0a5f6e7d1539663c10e49b8bff9edc3e1b6a85dc0f2d5d79a96d
-
SSDEEP
6144:Ak3hOdsylKlgryzc4bNhZF+E+W2knA3g8hD6smRdbmF+m0jjfPiFSkANIXRj+MM8:Sg8p6sOR0Kf2Sk4yCMPECHJ
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2372 WmiC.exe 84 -
Blocklisted process makes network request 8 IoCs
flow pid Process 32 4372 WmiC.exe 34 4372 WmiC.exe 44 4372 WmiC.exe 50 4372 WmiC.exe 51 4372 WmiC.exe 53 4372 WmiC.exe 66 4372 WmiC.exe 70 4372 WmiC.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WmiC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2428 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4372 WmiC.exe Token: SeSecurityPrivilege 4372 WmiC.exe Token: SeTakeOwnershipPrivilege 4372 WmiC.exe Token: SeLoadDriverPrivilege 4372 WmiC.exe Token: SeSystemProfilePrivilege 4372 WmiC.exe Token: SeSystemtimePrivilege 4372 WmiC.exe Token: SeProfSingleProcessPrivilege 4372 WmiC.exe Token: SeIncBasePriorityPrivilege 4372 WmiC.exe Token: SeCreatePagefilePrivilege 4372 WmiC.exe Token: SeBackupPrivilege 4372 WmiC.exe Token: SeRestorePrivilege 4372 WmiC.exe Token: SeShutdownPrivilege 4372 WmiC.exe Token: SeDebugPrivilege 4372 WmiC.exe Token: SeSystemEnvironmentPrivilege 4372 WmiC.exe Token: SeRemoteShutdownPrivilege 4372 WmiC.exe Token: SeUndockPrivilege 4372 WmiC.exe Token: SeManageVolumePrivilege 4372 WmiC.exe Token: 33 4372 WmiC.exe Token: 34 4372 WmiC.exe Token: 35 4372 WmiC.exe Token: 36 4372 WmiC.exe Token: SeIncreaseQuotaPrivilege 4372 WmiC.exe Token: SeSecurityPrivilege 4372 WmiC.exe Token: SeTakeOwnershipPrivilege 4372 WmiC.exe Token: SeLoadDriverPrivilege 4372 WmiC.exe Token: SeSystemProfilePrivilege 4372 WmiC.exe Token: SeSystemtimePrivilege 4372 WmiC.exe Token: SeProfSingleProcessPrivilege 4372 WmiC.exe Token: SeIncBasePriorityPrivilege 4372 WmiC.exe Token: SeCreatePagefilePrivilege 4372 WmiC.exe Token: SeBackupPrivilege 4372 WmiC.exe Token: SeRestorePrivilege 4372 WmiC.exe Token: SeShutdownPrivilege 4372 WmiC.exe Token: SeDebugPrivilege 4372 WmiC.exe Token: SeSystemEnvironmentPrivilege 4372 WmiC.exe Token: SeRemoteShutdownPrivilege 4372 WmiC.exe Token: SeUndockPrivilege 4372 WmiC.exe Token: SeManageVolumePrivilege 4372 WmiC.exe Token: 33 4372 WmiC.exe Token: 34 4372 WmiC.exe Token: 35 4372 WmiC.exe Token: 36 4372 WmiC.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE 2428 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4372 wrote to memory of 4992 4372 WmiC.exe 99 PID 4372 wrote to memory of 4992 4372 WmiC.exe 99
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2428
-
C:\Windows\system32\wbem\WmiC.exeWmiC1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//0dxf5.dll InitHelperDll2⤵PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56f0da330fa6ff42ac3d4bf71afa80d78
SHA1d39c20e6c13cc54c07f3a42f0c5bb7116b0df1ec
SHA256cafef64a34a6450137424e39e9c100475c050d28d742283ef4084fef3cac649d
SHA512e851ed7ef631a1ac27387ce63cc1b190aa3765335a09d9ceeea5f43da9b65a95ea04a2e0b39fe2c01875030ddb61d01e56d35e8cd36d5362f4d12e875538066d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD525cb8321660fda0a1d4209a6a408acb1
SHA1c082f5b0c165bf087b75301e643571ca27d37506
SHA256ba02c47a3c468420d6716241f4ffe75ea8252281dbb8c15eb4e47dbce7f4adb0
SHA512401a0bcb466b0a31c60c302472a056c16f3872ba22b09be58eb8158ce617b349a577594221a8924cab9c84ffc119759207be88f21b7fc05913e9a887d1e2d51c
-
Filesize
35KB
MD56eec91078598dda5fe8ce70eba349b3b
SHA10e9da0372116f63ed42441b4ccb15ca4a632a2e7
SHA256177b8546356bfb211df2308b09f44b999dd86c6bbdbc57e41e6a5b8ae40992b8
SHA512057e258ca1fe109ec0e5a47031610777f2e5b2bdf4eb234000f43ca422420d0471c6fa8262f27ef25d125f88833b1f378606f199e3ec8482dc69a82ccc78acae