Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 21:44

General

  • Target

    b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls

  • Size

    126KB

  • MD5

    aae7aa048ac287f3239299b3bcde4fea

  • SHA1

    e65498fb484c94f28f56969be1685c8c4ec067fa

  • SHA256

    b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d

  • SHA512

    1da22a7d07e7c5c000ad202c39cd5cc6e9d019dd6a11c8c4e86d5eb2cd1db9ef9350a6674acae5106194dd04540e7bf2a7b62fe7b550f9d26a3d76b5fddc5c8d

  • SSDEEP

    3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlCx:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgRY

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

xlm40.dropper

http://izytalab.com/includes/1mafAX0kOa/

xlm40.dropper

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

xlm40.dropper

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

xlm40.dropper

https://wpl28.realtyna.com/wp-content/0b0ny5cPM/

xlm40.dropper

http://www.efcballjoint.com/Template/AxEZPOfAa9/

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

    Filesize

    2KB

    MD5

    6f5735bea8846aec56b4a43df2ef215c

    SHA1

    ec794d8b8bcf02ce0e67b355604c8441550c08d9

    SHA256

    89ca6794487860330d911d052bde823b141cd8cc1c77ed859afc97f981c9ac68

    SHA512

    a09d6555acd9be7f868527d86fe24667a73d4bd0dd620b8d0705bb00e945337baf06caf1e47b74dc43ef8de8bc74ef5b0305fa20e04a8d5613daa4aeb829a979

  • memory/5100-4-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

    Filesize

    2.0MB

  • memory/5100-8-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

    Filesize

    64KB

  • memory/5100-2-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

    Filesize

    64KB

  • memory/5100-6-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

    Filesize

    2.0MB

  • memory/5100-5-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

    Filesize

    64KB

  • memory/5100-1-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp

    Filesize

    4KB

  • memory/5100-7-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

    Filesize

    2.0MB

  • memory/5100-3-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

    Filesize

    64KB

  • memory/5100-9-0x00007FF905750000-0x00007FF905760000-memory.dmp

    Filesize

    64KB

  • memory/5100-10-0x00007FF905750000-0x00007FF905760000-memory.dmp

    Filesize

    64KB

  • memory/5100-30-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

    Filesize

    2.0MB

  • memory/5100-31-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp

    Filesize

    4KB

  • memory/5100-32-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

    Filesize

    2.0MB

  • memory/5100-0-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

    Filesize

    64KB