Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:44
Behavioral task
behavioral1
Sample
b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls
Resource
win10v2004-20241007-en
General
-
Target
b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls
-
Size
126KB
-
MD5
aae7aa048ac287f3239299b3bcde4fea
-
SHA1
e65498fb484c94f28f56969be1685c8c4ec067fa
-
SHA256
b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d
-
SHA512
1da22a7d07e7c5c000ad202c39cd5cc6e9d019dd6a11c8c4e86d5eb2cd1db9ef9350a6674acae5106194dd04540e7bf2a7b62fe7b550f9d26a3d76b5fddc5c8d
-
SSDEEP
3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlCx:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgRY
Malware Config
Extracted
http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/
http://izytalab.com/includes/1mafAX0kOa/
https://pcsolutionss.com/zSlT4HR92TiOpw5NM/
http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
https://wpl28.realtyna.com/wp-content/0b0ny5cPM/
http://www.efcballjoint.com/Template/AxEZPOfAa9/
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5100 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5100 EXCEL.EXE 5100 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE 5100 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b8cb0c71d6d89ffbd93695345e8b8178ec5a9fb30a7bd5af3c77fa6690e6957d.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD56f5735bea8846aec56b4a43df2ef215c
SHA1ec794d8b8bcf02ce0e67b355604c8441550c08d9
SHA25689ca6794487860330d911d052bde823b141cd8cc1c77ed859afc97f981c9ac68
SHA512a09d6555acd9be7f868527d86fe24667a73d4bd0dd620b8d0705bb00e945337baf06caf1e47b74dc43ef8de8bc74ef5b0305fa20e04a8d5613daa4aeb829a979