Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

MIL0001069261.xlsm

windows7_x64

10

MIL0001069261.xlsm

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    07/07/2020, 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MIL0001069261.xlsm

  • Size

    37KB

  • MD5

    e3f0a053c8ca4394c5352d41627b0a67

  • SHA1

    0ad720a9b870e87d5238c57f4bd1fb86dc4d3435

  • SHA256

    21861dfd5dc09356971994ea642e9f3dc7afe1319b2d41ac19317c85ac5d5087

  • SHA512

    144c98d170595b2bf151f251b31bd857858c4ca795af668da883530b1c4615a0ef8146681c8b14fa84b16c1f710a91a0f6019f9dec7d36e2d3acad47d4f488f4

Score
10/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MIL0001069261.xlsm"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4012
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4012 -s 4824
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Process spawned unexpected child process
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      PID:408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/408-5-0x0000017BBA780000-0x0000017BBA781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-6-0x0000017BBA780000-0x0000017BBA781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-8-0x0000017BBB4F0000-0x0000017BBB4F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-9-0x0000017BBB4F0000-0x0000017BBB4F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4012-3-0x0000018FD1975000-0x0000018FD19C4000-memory.dmp

    Filesize

    316KB

    Download

  • memory/4012-4-0x0000018FD17F7000-0x0000018FD1808000-memory.dmp

    Filesize

    68KB

    Download