Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    246s
  • max time network
    260s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2022, 16:37

General

  • Target

    hotManchegoMacro.xlsm

  • Size

    4KB

  • MD5

    ce76acb95a001594debe598f2c39b696

  • SHA1

    97db0a6d9abb7b85c88000f684d49d2a74278ef5

  • SHA256

    f2db88981ba6f6a97a3007ce7b7e78248d8d27b63d398c6e65686c305619c34f

  • SHA512

    19de5fe22ff9653f7a1a8c457ba52e45edd81423cfc8f4bdf6ebf845055729b1056f97b918be5dd265f8486f88ff621a0dce519c230f809d2e592b69de671c9e

  • SSDEEP

    48:9UKMyfv5OISZqw0wOCmY9OTLHOjaDDS6y61M3t62jjBQohSSDMqst9OP2Ltzz16H:uKjv8r8I0Et62msJE9OeLhz1M6o

Score
3/10

Malware Config

Signatures

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: LoadsDriver 10 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\hotManchegoMacro.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2732
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 460 -p 908 -ip 908
    1⤵
      PID:4060
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 908 -s 2904
      1⤵
      • Program crash
      PID:4068
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 564 -p 1788 -ip 1788
      1⤵
        PID:2828
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1788 -s 2908
        1⤵
        • Program crash
        PID:2140
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          2⤵
          • Gathers network information
          PID:924

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2732-132-0x00007FF862050000-0x00007FF862060000-memory.dmp

        Filesize

        64KB

      • memory/2732-133-0x00007FF862050000-0x00007FF862060000-memory.dmp

        Filesize

        64KB

      • memory/2732-134-0x00007FF862050000-0x00007FF862060000-memory.dmp

        Filesize

        64KB

      • memory/2732-135-0x00007FF862050000-0x00007FF862060000-memory.dmp

        Filesize

        64KB

      • memory/2732-136-0x00007FF862050000-0x00007FF862060000-memory.dmp

        Filesize

        64KB

      • memory/2732-137-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

        Filesize

        64KB

      • memory/2732-138-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

        Filesize

        64KB