Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
Resource
win10v2004-20240802-en
General
-
Target
f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
-
Size
331KB
-
MD5
eaaed9cc781e682ac037d2a2450f198c
-
SHA1
8599710edfe04be096d1a500bb0f8a3b9ec1fb63
-
SHA256
f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486
-
SHA512
3c1f51b80d9d71bd2d4adafdaa1f35826d165c956223176aa688b50f46917b68a9cfc00f82dc104e2e7f03279c69cdfb2fd63e4641c5b0f56eefea10ae44e22a
-
SSDEEP
6144:pMSay9xbU9HIVb5ovxa9hTtGqy1seDWPBmCCGlEOivAolN/jsysdw7JfyToBmo0w:+Say3+fxSt/n66QCCGOOivANfK6TgmA
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3860 EXCEL.EXE 3344 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3344 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3860 EXCEL.EXE 3344 WINWORD.EXE 3344 WINWORD.EXE 3344 WINWORD.EXE 3344 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4080 3344 WINWORD.EXE 94 PID 3344 wrote to memory of 4080 3344 WINWORD.EXE 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3860
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5e976fc9a93c97a403703a4f20b6638f1
SHA12e267d636364a7df4a4f85ee8854a69465d27e73
SHA256c4b1cb9afd0887326f9743a1ec64a9b33abb8905bc27e31a4d65e9755b2fd922
SHA512dd1a409126b6eef4d04f89765f34b24c46b7880c41e438aca7da66704fc2c2386d5b61b5b41c15f66451d6c2bf11e6304bb6e9ee442f3fb934fe6c419720ba08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5a377addfde8e059e37fd4a5aa797f34a
SHA1f60c422900f5ec98d4b4ce2dd219cc66992c7d2d
SHA256b2f1ad68c41338ff26ce4e6fa2c2188036936fd44dca4386db9c20f8e0c6e325
SHA51232d15c4cfbfea6191a22d0ce3fb5aaf24ac87ba80c39aea7ea2791ab290b0816bd53df96aee444ee7aa350e0d87977ff2b8826bd21a3cfe0cb84bc76a120a466
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD53e8c5651213872d1ff3cc996e4d7a297
SHA1a94b99b9ab0e243329d0dfb9a644d30c4b3fa744
SHA256e5c603251b29adcf220c754eb000c23c15ee2d6bfa9562d3892095c6ac172f51
SHA5126c31fc7972b7a67594947cc26b1c3b3e16ccaeed8714afefa029eca52b78e2f16e8be54b47734d2c582c5d32345112fc09b9ff3702bf214d93a2ece457a3a528
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5a07b854f44202807c64119f4b9443f1b
SHA17ee46df551786821d69d5739f2d166d129aad1f0
SHA256d0182b048523b2b57b83d55cc2bde6f58d5e951dacdbe51f0cb8f2bbebac7a34
SHA5122ef9b91a2b55a1c53598d42390350d32c426428db18aed6756a6e6b531c3c92fb57cab0d986dfccfdd4030094bfa357fbf006cdad7cf868c917826cf7b6e6af0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\89034C27-AA9B-4B4B-847D-BDAD6552C5A0
Filesize170KB
MD52a447477d6c180d91c125e725cf24344
SHA18a7faa74dd57eab31773e847ed3f696e4e28ccae
SHA256b7e0302ed3d261bfb85ad95c1da2ac6a5589ab640e3636d86082acc3e23a9f4e
SHA512d7b48a6e9f4136132d8b12dd291d2f4b88a4547e8bd138b6dbe494a78ffd8b426bae0b8368d8f66934678ca533d85009714976bdea8a6f06356bb4b4f0391193
-
Filesize
11KB
MD55d17887488dd54905337bf9cc610dbb1
SHA1b1e2af9bc1da3ed0975d834f05042b9171d80a4c
SHA2561591b6ece1fab8efc8bf74ee4b8d1e0ccb2f13c4ebefcbbeda11db538d8d2d82
SHA512303e1d3c6695798cb2229e13809dd62c5f0c66a1cfe5c324f977793c18d6316acbaedc183602f051e78d3f7ff037bea8585bf52a579d79e82be025364d67cac1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5dcd496d48951b96093ee1b4fca50a67c
SHA11be4fd1fa0442670ac5ed43b359517dcdef33491
SHA2569ebb3813058a3939351ee8621b559c51757fc9658a27f4e1cfcf680deb0db05c
SHA512925ddb3a15424c97a389a10b2ff38ca1544bd156c5e8c478e6dd643042eb5a05e859b1518612cbafbcbb6d96c69561e00f79bb828a38bbe49000ddd1d0cfeb83
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e9e7a0aad3e30e0b3e7d083a2efe53e7
SHA123fb32fec70222bc5bdaadcd2444164dca85fb1c
SHA256eae979a726234ae0c3ac5332c287903aa5e1bd35d81eeb40e22697293dfb01c8
SHA51272fa3657957bbc2f9d44fc33349d9c40026fa4196ecf10adbfe0adbb61ed7151e5c0d0d189c28a1ed6de5857352e68e26d87992cccd89afc376ff88263ba9a51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\weneedbuttersmoothbunwhichreallyniceandyummywithbutterbunwhichnotknowwhyshecantunderstandbuttersmoothbutterbun____chocolatebunyummyhere[1].doc
Filesize80KB
MD503c634f3b71f5dcfca4f2016482bf5f2
SHA1b559111214ecd6318c86acc86836fbc96ac7ebf6
SHA2566e2b7a094b6dc5bcf9880332f39b6dd6eefd711d6835bb289493cae6896c26b9
SHA51291492321ef3cd9ea631bfaa7817d4602faae07a89a9f30c0ae99e9d017c941919c365c33e226d8d0081d17b8053b2850ba086ce39bc94137c91dc7d21e48bc7e
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
235B
MD573e362506c49a8ddf2ac0ce722ec59f8
SHA169d0c4ea06e56f4b703176eeba9629826098147a
SHA2561232cefdf0dc25c8723cce7b6548f80deac681626c09e5b376c05a1a7e7aff27
SHA512edadb5278846c19b675d1326544262f2edc009df03a8271b6608bd3a3037c57c3a79d5bd6a488fd1238e57ecd3f72ed7bb4cb4e2bb1e7bb950736a05d27ae54c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5139cdb3b2b75f4db0795c7726e3d174e
SHA1f4b283f51d8c93ae64ec5afa95858911de7280f7
SHA256e25eb4921b2f7e9e030a90a4ca9e42256aab017abaf12113d9f00ac4536f3b9a
SHA512d366b72b729395559b64cb6443fb73bd1158c4f4ad848e778b36f40da731f09b277586c080af8d68343081875972612670bc5ebeb9c2624955acdfdce4c0533b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD521bc5cb528aaf09d30a964e1f5337379
SHA158bc5c7c8b7ec0587dbab7f8697894abf5d444a6
SHA256aead4e4f66d5b0156961802e3e55e654a28903618675b860538c0dc6eef35f94
SHA512b28ac66100c1b211eefa828481ce11c3536c46fc9facb2efa217e181fb29989b7d790542a729c1df249511adcabc525c17a9c5fd6bb6ac8ffaac67e9601395a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize669B
MD568e18a3d36644db86ea97d1077297678
SHA190beb924119e9dc4e6261907a4271331fb234b77
SHA256f1237e72919e950826bdef9db2f0a806dc6b3d0e8c9dfec2e6d6a4bd28b98219
SHA512e2d9ec23c7fe9467f897b1977de2fad3ff17cbdc1fc50f68420d0475ac88e9566e45ee520a4bf1068660c57be7892218f064d43a3908d9ba16eb8056935fa1a9