Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:28
Behavioral task
behavioral1
Sample
27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls
Resource
win10v2004-20241007-en
General
-
Target
27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls
-
Size
94KB
-
MD5
d526bceaedb1395c2450d92b345c9cbb
-
SHA1
eb9afb5afd34908a0ae72eec5c0094c0d84818de
-
SHA256
27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd
-
SHA512
b5866f7d4b3b60f1b80589c1766559d646b2b95ba9c0eb4b7869d2b3d2692e21b9e5d87af860ce19758a71163be88e3f0cd4dc0da3b332d2c7026f241b5d7171
-
SSDEEP
1536:JsKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgSUZx6FyxC3YGbl7BgWDFsqtNhWmDJdWZ:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgx
Malware Config
Extracted
https://bosny.com/aspnet_client/NGTx1FUzq/
https://www.berekethaber.com/hatax/c7crGdejW4380ORuxqR/
https://bulldogironworksllc.com/temp/BBh5HHpei/
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4036 2168 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4612 2168 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1216 2168 regsvr32.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2168 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2168 EXCEL.EXE 2168 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE 2168 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4036 2168 EXCEL.EXE 94 PID 2168 wrote to memory of 4036 2168 EXCEL.EXE 94 PID 2168 wrote to memory of 4612 2168 EXCEL.EXE 95 PID 2168 wrote to memory of 4612 2168 EXCEL.EXE 95 PID 2168 wrote to memory of 1216 2168 EXCEL.EXE 98 PID 2168 wrote to memory of 1216 2168 EXCEL.EXE 98
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam1.OCX2⤵
- Process spawned unexpected child process
PID:4036
-
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam2.OCX2⤵
- Process spawned unexpected child process
PID:4612
-
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 C:\Uduw\soam3.OCX2⤵
- Process spawned unexpected child process
PID:1216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD598e36fce7b298c53b5c2e34bd4e7a34f
SHA1133f724f3863381cce37043ebc6bc6d8796a3a89
SHA256f51c4ef2478d4b83cfdd1ffccd59a2bbe692d5e32e60d826a467aa8b52584bd4
SHA51256cf7018ef32290e993129a8e1ab8e78eb6da43e376a7f879a687f8c36874fb85b770e4eadeaba5e269b4fbd2496d9f47cdb385da17b04cd9766ae0970eb4511