Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:22
Behavioral task
behavioral1
Sample
af7f1540e19b5a469573d5fedd33ffc1ce1dd157626306ecf5a80afb65b52952.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af7f1540e19b5a469573d5fedd33ffc1ce1dd157626306ecf5a80afb65b52952.xls
Resource
win10v2004-20241007-en
General
-
Target
af7f1540e19b5a469573d5fedd33ffc1ce1dd157626306ecf5a80afb65b52952.xls
-
Size
70KB
-
MD5
59ea30384b2bce2b2c1e8eb98603e517
-
SHA1
cbe9c01093e6aafc08be8ad1e901a7e299bd3aa8
-
SHA256
af7f1540e19b5a469573d5fedd33ffc1ce1dd157626306ecf5a80afb65b52952
-
SHA512
beecaa0af23b566cf7c93296d5585dde298af721cdfd356436c60dcfe50e7c1f6c092b380461d0070c10e5ed4b5ea6e1eaf34388b390dd1b0c166878d108403b
-
SSDEEP
1536:OhKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+e+hDcnTLiQrRTZws8EgE:uKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMx
Malware Config
Extracted
https://strachanclark.com/images/3gc4qCpSFYbBMDEC/
https://synapse-archive.com/images/bKaMr/
https://sumuvesa.com/wp-includes/rgL/
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4708 868 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3828 868 regsvr32.exe 82 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1360 868 regsvr32.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 868 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 868 EXCEL.EXE 868 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 868 wrote to memory of 4708 868 EXCEL.EXE 88 PID 868 wrote to memory of 4708 868 EXCEL.EXE 88 PID 868 wrote to memory of 3828 868 EXCEL.EXE 89 PID 868 wrote to memory of 3828 868 EXCEL.EXE 89 PID 868 wrote to memory of 1360 868 EXCEL.EXE 94 PID 868 wrote to memory of 1360 868 EXCEL.EXE 94
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\af7f1540e19b5a469573d5fedd33ffc1ce1dd157626306ecf5a80afb65b52952.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\cusoa1.ocx2⤵
- Process spawned unexpected child process
PID:4708
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\cusoa2.ocx2⤵
- Process spawned unexpected child process
PID:3828
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\cusoa3.ocx2⤵
- Process spawned unexpected child process
PID:1360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD544a30fd4564e754f62e54e6e7acee9c3
SHA19911fde9f502fb1a8f572e53af49ac588394484b
SHA25680681ab0c0137ec6c5be1af133286d4746571741917e9d1409321da08731dd64
SHA512d023f590147f63b4878523b9a65ffe3e885932220e54cdcfaa02c7042f439757c87d6af1348f6739b4fadd4eb10d659ec8b346fe0d8a652a4b0268356b338ff9