Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

55225 NEL1334605.xlsm

windows7_x64

1

55225 NEL1334605.xlsm

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14/07/2020, 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55225 NEL1334605.xlsm

  • Size

    39KB

  • MD5

    235326560f595b807aa52df22e8d5e69

  • SHA1

    c0266c830b5287c1a0fc2c00c696040b10092ca4

  • SHA256

    e8d122c430ae8e186fe266a63511405aa82465e5aaf92d8fb1934533b2eb0dc4

  • SHA512

    6502bdcce9d3d615b0f87d678b86b986dc493139d20fe8d830c8bc0aecb90ccf3458582fc9ca96af17a27c09e471db325a910dad90dfd6f9448785b7b13cb085

Score
10/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Program crash 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\55225 NEL1334605.xlsm"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    PID:2920
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2920 -s 4720
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Process spawned unexpected child process
      • Program crash
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      PID:4048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2920-0-0x00000200084DD000-0x00000200084E6000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2920-1-0x00000200084DD000-0x00000200084E6000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2920-2-0x00000200084DD000-0x00000200084E6000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2920-3-0x000002000EC3A000-0x000002000EC66000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2920-4-0x000002000EC3A000-0x000002000EC66000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4048-5-0x000001D809DC0000-0x000001D809DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-6-0x000001D809DC0000-0x000001D809DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-8-0x000001D80AC30000-0x000001D80AC31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-9-0x000001D80AC30000-0x000001D80AC31000-memory.dmp

    Filesize

    4KB

    Download