Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:35
Behavioral task
behavioral1
Sample
7886885fd08fcaa4b173e0b0dd06752926b872eb5f8ee191e25bf936cb6aedc2.xls
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7886885fd08fcaa4b173e0b0dd06752926b872eb5f8ee191e25bf936cb6aedc2.xls
Resource
win10v2004-20241007-en
General
-
Target
7886885fd08fcaa4b173e0b0dd06752926b872eb5f8ee191e25bf936cb6aedc2.xls
-
Size
45KB
-
MD5
5c00c538a4692acfac72ade253d3a3f9
-
SHA1
92152d8cdf87dc60b1505b5cc6792cc67cac478e
-
SHA256
7886885fd08fcaa4b173e0b0dd06752926b872eb5f8ee191e25bf936cb6aedc2
-
SHA512
44d4f310106730f198062ef64465d69f8c560d132ed0ac8883d9a58904a860ab83740f9397890d4ebc699068ce44411dbc775588b063293a207e9cff04bb455e
-
SSDEEP
768:bkPKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAPVdtWgojJcFDqCRt6vuVUeJlV:bsKpb8rGYrMPe3q7Q0XV5xtezEsi8/d9
Malware Config
Extracted
https://fpd.cl/cgi-bin/83E0xgTMc/
https://el-energiaki.gr/wp-content/plugins/really-simple-ssl/testssl/serverport443/WUV5PJA/
https://www.manchesterslt.co.uk/a-to-z-of-slt/Ntrci3Ry/
http://contactworks.nl/layouts/fFxKZabh/
http://baykusoglu.com.tr/wp-admin/Y3sRBcOfZ34wg2sO/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4152 2160 regsvr32.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2160 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2160 EXCEL.EXE 2160 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2160 wrote to memory of 4152 2160 EXCEL.EXE 91 PID 2160 wrote to memory of 4152 2160 EXCEL.EXE 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7886885fd08fcaa4b173e0b0dd06752926b872eb5f8ee191e25bf936cb6aedc2.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\xdwno.ocx2⤵
- Process spawned unexpected child process
PID:4152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5e666a6871653195de55ec2ef95615802
SHA10faf418913fa118f58a16739f8b5d1e871435c95
SHA2563f1d1b23269277672a7662ebd338ae32da6c1393433b400cf487ae9c2823ce67
SHA512b4139907fdb54e3a410d0c1584597515aeee3a566e2e1b8b32df2feedda3a501edd383118266c7536464807218d9e826d5538e361983e4a9b4de97108967f3cc
-
Filesize
25KB
MD58cd3c109905ddb9afe61a50b08309b04
SHA1e102c758a1df661078e4f94daa92547aeb438126
SHA256f531beb78f404dce76f46154b9a79744d3b6341f30cc42edd2b83ab69c154d20
SHA5129720ca0830540ea301f907568e6607d32766b95a08e2589f9d27c4cecaba78b044c19bfbfa755614da715a7bb7586836d8453c34f2852f5222584fb61be80b57