Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
Resource
win10v2004-20240802-en
General
-
Target
e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
-
Size
331KB
-
MD5
88683824dbd986b04614f87932b353e2
-
SHA1
2337105e97292f73355a9bec6ab557801291958a
-
SHA256
e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d
-
SHA512
51085d772bdcb96630a96ab549224b3acf93a60685df0ef33bc844a917e595df99ee6554fbbb28a611b2ea96a63aaf4a666fbeed9a14a987d5645c5f654a5d97
-
SSDEEP
6144:busFsN2M9GMzJexttr9+nkpJsJV5ehYxH/P1ljNGEMo:Ksg9GDtIkTynxf8Er
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1216 EXCEL.EXE 4972 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4972 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 1216 EXCEL.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3632 4972 WINWORD.EXE 95 PID 4972 wrote to memory of 3632 4972 WINWORD.EXE 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1216
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3632
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD56eb8c94f3742856b98d877591d5ee250
SHA19627d3dcbc9f58b9d3844a1e84ae40a2673247a7
SHA256ba51a748cee3578bb2167b1b1c39eec5fabe3f899d10a289ece22b97519eb61a
SHA51204d0212658d68c8288ae0cde389cc07de4fa9ed535ae6f83e3593407f75e4bce4303ab265a186bc8ba0ced8d0cda1d79da32d67f4c40b2e48435c432fc25acf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5f6a33a0e67837371a36726599651277d
SHA17fbbec4c421641da37e44eeb49a31ab5286737de
SHA256880ce09ed9cab8e94978dc29214374474447cd9d1ca551a996683779317d0e33
SHA512feaa98309953f126c2293b58557969b371776849e03d3edd2b17e1fda1547533f8009af78e711ecc7e7a981a19cd689c9531c5c5ed1468fbaeb0cd4ca1b601a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5b2108ba0fc55cd5b5d1873e9b0955a60
SHA1d1e8996348057a5841d46480d86157aab43d36b1
SHA2564cae43d07478fd0c679abff2170096dc6d8dcb487fb1df9e83f9474e385b8c34
SHA5123d5c56948dc79c7b3b4d19fb8c47e2a1e33c5782720a959753cb284fe6a4a353019266ee30621088d48ad69dc706cb5ca25627b66de113c4ef95bdaa69f830d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD57e67890934b6fd2ca25555ccd0292125
SHA15c19134cc475a46916a638c25d2c60577ef603c9
SHA25624c1ebae245cc265132fa136d3edf4df713f166d7a80c537e1b0b652598e6306
SHA51286f7734cd78c1936d2c2d868e69fb6e6175ffc1ac890112f0520182e48d62969ac577cee7e5320c4d9d63efb6999ff6d032a7f511a3a73b82f10c28b588a7f6a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32394918-98CD-4B28-B9FF-81618B3A38A7
Filesize170KB
MD57aceab4c91090a0718798f4397dfcd72
SHA1c91df68eb0698b167da78489b6f6a1b29642c374
SHA256c59a3175e73cf68bbd3c096aa5bb9bce0889f57c8b9b55d4d6e6484110261ecf
SHA512e9ddde953d3481996700ec5cbd4f19883b0751eee6d7a626af4ae6d3354154b64c4b8aa6175c5e93d99f69254ea251d1017d81b716e6e9698713c155334d8139
-
Filesize
11KB
MD54ffa9c0cbe79398338072f84a91bd48d
SHA1a410b7e9728043b590be54dfe17be3872232ec15
SHA256040a6bcb8678ce56ce271f557a24abc35f7647d45c4f1588a6b3a700a42325cf
SHA5124f2ebeec93d6b8bab4dc1712a547b9a35f1583286a19f9a3083676e964276369e7fc98632ff611de8fecb3bc445cb4fd6d2e8a398dfb00a47f4048ec92c9cfe9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51756314dbeaf0c3a174368db659e063e
SHA15cda5ee084e300aec26fe8a89303801ad7e91d9d
SHA256a488fde549f9b42963764f8eeb20104a95e84279082c1752a713ad5f7115474d
SHA512d6f262ee711289e09fc7acd7f21f7b84610de64697b69ca628212e6f3776872c92fa72efd11c99545af14db01eddea049dbdd769a7f3bac5a95d7e8acefec9c4
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57ed9ac7246c1c8a33d3d2f9583c7c97b
SHA19c726ddfaf6489692632e05f07b1eedbf6bc7d5d
SHA2562081b5f85ba5ab91623768939671d3698fbdd0ab5b522090a6011c2243684158
SHA5128b3148b4c42bea7ffc86693e44849d83c25def3d5ddbe53034aaa95f6031e1b9e37485688c9f196742bd539ce004f795d7ee2e94f2003c6ea8d64752e0cbaa33
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\yummybuttercakeaddedchocolatewithsugarandotherthingswhichmakecakewillbehappyentireprocesshappeneingwithnew___yummybuttercakebun[1].doc
Filesize88KB
MD5ce3b08f58d579862f5b03bb1f563f9f9
SHA1aa9339e51447b2766306991a1b7c489b483da9ea
SHA2563d7634a57671a2cb7c21f514374d28280fc3708f114ab73e0593ac911111e882
SHA512327fac685fcd6d53aa7ac2ec854f3b4b7f8f2b7f47632948a931a098ea19607d3dfe58d36dc35024b8da468c82eedb855a2619328b82b81a7835ee72b1197308
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
335B
MD584b2931311f073f61eb1fa92667c3d47
SHA1b623c31a6254118fad4a0eba299e8d29349f7bac
SHA2566e452479a8898e96fc51ff7cf7db6611e3042c157058da567aaba9759d4f34a1
SHA512e4d106af90e3ef8ea7bd4c4340ace1ffdf5e1392f0476935e4db4b8af9f4e38cd77f1b9e37bff108cb8bb83fee7b26637cb8962bc906bc25959b02cd6d78465a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD54b1a9daf8a80bf87fe9928c44401511b
SHA156871f5f9c4bf4d8db5cf8f6014a94359058a9cd
SHA25639174157a121385435ca7373363bbf4659372c44d4a431a027b591e267b864b4
SHA51207b38481a91c0f29b930172305c6a02460695d1a9e69bec6673af5e8942a3ca7a8ca53f46fa38e604f3e0af54ee183517dfd86d570d61cb7c000499cd33a33e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57400ee7a714868f66a1dd1cc1ab704af
SHA17b06e4321907c8e25d2f99461367561f363fdfc0
SHA25698e6c322540145636ecccd006e89781c830dc862211fa89d741ff45c39b4f3ba
SHA512a0b2d79cc90ffda21c112aa066cb1a780788253234cf7a0afa002cc30a621c67fd6278ea7490926793a81258f81dcd66c5adbb887aedda196f1adfee4c6e5db6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5a64b37dd994ad30c84b016c6d2f02185
SHA15da20f1ccc545e4c871b2ec4050b16dec7fd2a2d
SHA256e12be60e6eaffa90667278765427f03216f38277da386d29d4e1929ab4d63df4
SHA51226e754cbf5ad079ed1f5a204c2b2c5e5c6afe7517e759c0fc7fd8473825cc2c8effbc1b5cf3326fd9f573f06481c03a4a3f0414589fd37f677925e1c7cad3ae3