Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:29
Behavioral task
behavioral1
Sample
ed6023ae4f18301c0c3e9c2997955d11cf7cdad80aa0303a8d6837d861379bb6.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ed6023ae4f18301c0c3e9c2997955d11cf7cdad80aa0303a8d6837d861379bb6.xls
Resource
win10v2004-20241007-en
General
-
Target
ed6023ae4f18301c0c3e9c2997955d11cf7cdad80aa0303a8d6837d861379bb6.xls
-
Size
95KB
-
MD5
f3ae09b1fad1eb357e7b7a58096db206
-
SHA1
a7858a75bea6f7d1c533cd0877ca9e7cb788536d
-
SHA256
ed6023ae4f18301c0c3e9c2997955d11cf7cdad80aa0303a8d6837d861379bb6
-
SHA512
615dfffaf9eaafb79ea7c8652e729215c28ee21e8494b188a1ba4de6e8d6f41d17653372db690df587908d2b87282005ebc5fa895dee48add7fa972c588cae48
-
SSDEEP
1536:PFKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgWHuS4hcTO97v7UYdEJmt6:tKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg8
Malware Config
Extracted
http://francite.net/images/XI7zS0X1nY/
http://chadhymas.com/wp-admin/ZuFQrj/
https://cointrade.world/receipts/Sa6fYJpecEVqiRf05/
http://cupsolution.com/voreglas/kmXpSvyai/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 464 4596 regsvr32.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1112 4596 regsvr32.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2628 4596 regsvr32.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4716 4596 regsvr32.exe 84 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4596 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4596 EXCEL.EXE 4596 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE 4596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4596 wrote to memory of 464 4596 EXCEL.EXE 90 PID 4596 wrote to memory of 464 4596 EXCEL.EXE 90 PID 4596 wrote to memory of 1112 4596 EXCEL.EXE 94 PID 4596 wrote to memory of 1112 4596 EXCEL.EXE 94 PID 4596 wrote to memory of 2628 4596 EXCEL.EXE 96 PID 4596 wrote to memory of 2628 4596 EXCEL.EXE 96 PID 4596 wrote to memory of 4716 4596 EXCEL.EXE 97 PID 4596 wrote to memory of 4716 4596 EXCEL.EXE 97
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ed6023ae4f18301c0c3e9c2997955d11cf7cdad80aa0303a8d6837d861379bb6.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci1.ocx2⤵
- Process spawned unexpected child process
PID:464
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci2.ocx2⤵
- Process spawned unexpected child process
PID:1112
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci3.ocx2⤵
- Process spawned unexpected child process
PID:2628
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci4.ocx2⤵
- Process spawned unexpected child process
PID:4716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD515bf4fd3ebd96e4301da68a931840f1f
SHA1f2eba2b5dc8b35f8fa124c64051a787688cc2c66
SHA2561518c9be3298d61a99a6e3a2018a47642c43f4303453b42ef204b3cf0649a91a
SHA5128ac677c2d5beb012c5e0311769feaf7958742d3ee1751c2c4e47143cc2b1de300423185be165bd41269c8be4825167f3f8078b4099c20adb3c2968caed721086
-
Filesize
1KB
MD5fac397ca3d45a08e7ad3555b9e0bbd18
SHA125715a7cf32c917132d77ba4f98a88b73311bb50
SHA2567d6c39aa1f8f18a1a726ab0d3149589042f7cc760727af8e07b737b12d6e7528
SHA512bafbd308d942262c819aa2d0432de9d919a711ecc6386e3d671ea36e0a805fff3c09a87b08a660997eb701d63dab38111a97ded4fff4af990ddac40f11b05790