Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:33
Behavioral task
behavioral1
Sample
ec3b498aa7562959d8cee9a8d8ff27b31f4b74dfe9e4371af8a7b09d92840231.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ec3b498aa7562959d8cee9a8d8ff27b31f4b74dfe9e4371af8a7b09d92840231.xls
Resource
win10v2004-20241007-en
General
-
Target
ec3b498aa7562959d8cee9a8d8ff27b31f4b74dfe9e4371af8a7b09d92840231.xls
-
Size
95KB
-
MD5
5b38e8f1824ecf2e3022afc2b8dedb40
-
SHA1
2d16b468ff3e214c252eaf10b77ed2eb653cf0ee
-
SHA256
ec3b498aa7562959d8cee9a8d8ff27b31f4b74dfe9e4371af8a7b09d92840231
-
SHA512
f39ae92f3c31923e984b5e66484db27194634a7b4d9d783d484adf4a51b22009914e534e2cf4139f179562c6bfae75ea6994351a89f2d8a4ccfeb4ab38ee209e
-
SSDEEP
1536:UkKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg4HuS4hcTO97v7UYdEJmw:bKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg+
Malware Config
Extracted
https://cointrade.world/receipts/0LjXVwpQrhw/
http://www.garantihaliyikama.com/wp-admin/jp64lssPHEe2ii/
http://haircutbar.com/cgi-bin/BC3WAQ8zJY4ALXA4/
http://airhobi.com/system/WLvH1ygkOYQO/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4220 2316 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4044 2316 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1984 2316 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3356 2316 regsvr32.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2316 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2316 EXCEL.EXE 2316 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2316 wrote to memory of 4220 2316 EXCEL.EXE 88 PID 2316 wrote to memory of 4220 2316 EXCEL.EXE 88 PID 2316 wrote to memory of 4044 2316 EXCEL.EXE 89 PID 2316 wrote to memory of 4044 2316 EXCEL.EXE 89 PID 2316 wrote to memory of 1984 2316 EXCEL.EXE 91 PID 2316 wrote to memory of 1984 2316 EXCEL.EXE 91 PID 2316 wrote to memory of 3356 2316 EXCEL.EXE 92 PID 2316 wrote to memory of 3356 2316 EXCEL.EXE 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ec3b498aa7562959d8cee9a8d8ff27b31f4b74dfe9e4371af8a7b09d92840231.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci1.ocx2⤵
- Process spawned unexpected child process
PID:4220
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci2.ocx2⤵
- Process spawned unexpected child process
PID:4044
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci3.ocx2⤵
- Process spawned unexpected child process
PID:1984
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci4.ocx2⤵
- Process spawned unexpected child process
PID:3356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5669fdc14be0092f8847ef90043f1b94b
SHA1688b5c54ba3690b3dbdcfe985e43fac532d88266
SHA2564625420513f2c6bb6c2071fa296993f991e65a44d757088d246f039e03dfb23b
SHA5129b32cd526b4d7c32131896d6e8473ee58ee185f381a531335ec724f18d40365b6c0696f7aca210c6dd17923f91d88f14c81bf0c010a7db7705249b48753a0dee
-
Filesize
1KB
MD5654666b685cdd6c1bf27988c990e0a08
SHA13eca27089fc020d9c34283713eb747541f46d51d
SHA256997647704991f185fe7ff6d686d25e96bcbb1428966c8119edb9fcc1f5d14362
SHA5126e79458eb33337f6822ee2b8d46d10aa7dffc25fcb156fc4bfdf67cf78cf7166ee408963fecd787373d95682dbd476a398f6e8e10fbd40837922e85609aab93f