Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10/07/2020, 11:20
Static task
static1
Behavioral task
behavioral2
Sample
OBL.xlsm
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
OBL.xlsm
-
Size
51KB
-
MD5
701f9328e7a3342f0dfa48698c6c613b
-
SHA1
6edc2590af618b480f1c40e2eb7931fc731850bd
-
SHA256
020f81f9c5ff58cce183a45b51770b5fa15486446250d168f492264e71701078
-
SHA512
c0998664d42b7915f3a9cdbc517662e0625f02b3d4f06f5ec872d7f71674d3392fa36e4cf72424187bbb5902b8f5797f82c81b41b125c90473e2a2664a58c7fa
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4048 1360 cscript.exe 67 -
Executes dropped EXE 1 IoCs
pid Process 3692 mPCoN67gt4d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1200 WerFault.exe Token: SeBackupPrivilege 1200 WerFault.exe Token: SeDebugPrivilege 1200 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 3 IoCs
description ioc Process File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1360 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4048 1360 EXCEL.EXE 72 PID 1360 wrote to memory of 4048 1360 EXCEL.EXE 72 PID 4048 wrote to memory of 3692 4048 cscript.exe 76 PID 4048 wrote to memory of 3692 4048 cscript.exe 76 PID 4048 wrote to memory of 3692 4048 cscript.exe 76 -
Blacklisted process makes network request 1 IoCs
flow pid Process 16 4048 cscript.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1200 3692 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe 1200 WerFault.exe -
Script User-Agent 1 IoCs
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\OBL.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
PID:4048 -
C:\programdata\mPCoN67gt4d.exeC:\programdata\mPCoN67gt4d.exe3⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 9284⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-
-