Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7 -
submitted
09/07/2020, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
Resource
win10v200430
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
-
Size
911KB
-
MD5
5d3da35b75a8ebd4ea01e5dfea3cc964
-
SHA1
a96ad70d56e1fb611b6ecc29029b813b9d3948ff
-
SHA256
0e7dcaa2a0b1d03753b49f7fd799a82c9c0ee20b6d1b02496151f53e234ddd91
-
SHA512
6d887b61524f8ceec84268623b9187b98c1ce6ec96ab3650bab587253b3e71e77480e3e39e75e7beb106c847c8ae98e0257613e220d62dfbde0ff9ee62e55c3c
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1296 2040 EXCEL.EXE 24 PID 2040 wrote to memory of 1296 2040 EXCEL.EXE 24 PID 2040 wrote to memory of 1296 2040 EXCEL.EXE 24 PID 2040 wrote to memory of 1296 2040 EXCEL.EXE 24 PID 2040 wrote to memory of 1296 2040 EXCEL.EXE 24 PID 1296 wrote to memory of 1412 1296 DW20.EXE 25 PID 1296 wrote to memory of 1412 1296 DW20.EXE 25 PID 1296 wrote to memory of 1412 1296 DW20.EXE 25 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1412 dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2040 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2040 EXCEL.EXE 2040 EXCEL.EXE 2040 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2040 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1296 2040 DW20.EXE 23
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11562⤵
- Suspicious use of WriteProcessMemory
- Process spawned suspicious child process
PID:1296 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11563⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1412
-
-