Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10/07/2020, 11:20

General

  • Target

    OBL.xlsm

  • Size

    51KB

  • MD5

    701f9328e7a3342f0dfa48698c6c613b

  • SHA1

    6edc2590af618b480f1c40e2eb7931fc731850bd

  • SHA256

    020f81f9c5ff58cce183a45b51770b5fa15486446250d168f492264e71701078

  • SHA512

    c0998664d42b7915f3a9cdbc517662e0625f02b3d4f06f5ec872d7f71674d3392fa36e4cf72424187bbb5902b8f5797f82c81b41b125c90473e2a2664a58c7fa

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Script User-Agent 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\OBL.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      • Blacklisted process makes network request
      PID:4048
      • C:\programdata\mPCoN67gt4d.exe
        C:\programdata\mPCoN67gt4d.exe
        3⤵
        • Executes dropped EXE
        PID:3692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 928
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          PID:1200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1200-10-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

    Filesize

    4KB

  • memory/1200-20-0x0000000005620000-0x0000000005621000-memory.dmp

    Filesize

    4KB