Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07/07/2020, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
MIL0001069261.xlsm
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
MIL0001069261.xlsm
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
MIL0001069261.xlsm
-
Size
37KB
-
MD5
e3f0a053c8ca4394c5352d41627b0a67
-
SHA1
0ad720a9b870e87d5238c57f4bd1fb86dc4d3435
-
SHA256
21861dfd5dc09356971994ea642e9f3dc7afe1319b2d41ac19317c85ac5d5087
-
SHA512
144c98d170595b2bf151f251b31bd857858c4ca795af668da883530b1c4615a0ef8146681c8b14fa84b16c1f710a91a0f6019f9dec7d36e2d3acad47d4f488f4
Score
10/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 408 4012 WerFault.exe 67 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 408 WerFault.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE 4012 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4012 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 408 4012 WerFault.exe 67 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 408 created 4012 408 WerFault.exe 67 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MIL0001069261.xlsm"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
PID:4012 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4012 -s 48242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:408
-