Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

b0cd17647f...83.xls

windows7-x64

10

b0cd17647f...83.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483.xls

  • Size

    645KB

  • MD5

    a9a9c2318ac29160ece850c60e6b7aa6

  • SHA1

    67701eb4f6813927c5262edf55d9943146f521a2

  • SHA256

    b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483

  • SHA512

    c5db07d40516e468835e827fbf9643a442c4ebbd0c2941c97f4d00010fbe66b032be8a1fcdf568515f727810a7d7f0bf0c2707ac40a20c55616fb72c85166c1c

  • SSDEEP

    12288:UbWNHd0zBRlrOiVNYNPPg1O+R8G7kN/eTXjWxMyPg+8FlX0iv6p:8sd4rrV6NP41ttkN2TQXbEb

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\System32\mshta.exe
      C:\Windows\System32\mshta.exe -Embedding
      2⤵
      • Process spawned unexpected child process
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    2KB

    MD5

    800600b2d1ef65035ec0f637bd8dd2ae

    SHA1

    05aa88f92ced86a647b198fe062014c1834ca602

    SHA256

    53860b03d1724a8999962396ed07392e0007febcc05792c013f4a3e5be9bfe2d

    SHA512

    c58863e306a05f2d1f61501961ad00ed0f7aee44e1683ee6c23016b594558aaf88a00acbfcbb6b75081f5ffef8b0edf5142ae476dea983a58e6abb9fcec658ca

    Download Submit

  • memory/528-13-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-15-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-1-0x00007FFD560CD000-0x00007FFD560CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/528-6-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-5-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-8-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-9-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-7-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-10-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-4-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-11-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-12-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-14-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-0-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-2-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-20-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-17-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-19-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-18-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-16-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/528-3-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-48-0x00007FFD560CD000-0x00007FFD560CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/528-47-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2028-44-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2028-45-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2028-42-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2028-52-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2028-53-0x00007FF6EB4B0000-0x00007FF6EB4B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2028-40-0x00007FFD56030000-0x00007FFD56225000-memory.dmp

    Filesize

    2.0MB

    Download