Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
03/11/2022, 14:17
Behavioral task
behavioral1
Sample
f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls
Resource
win10-20220812-en
General
-
Target
f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls
-
Size
217KB
-
MD5
2b56de8c77b3cd04c40b246d9416180c
-
SHA1
d20f631ae1d10ca140460968f392613990b49caf
-
SHA256
f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326
-
SHA512
d2f455ebcae7377b304c4d204a71490d8fcbf54c5f7d281bc545dac1ecda2c4638f4a26d5bc1254b4e504644dd295866b8eb590dff5c0e6ea3ffb00333638828
-
SSDEEP
6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmn:bbGUMVWlbn
Malware Config
Extracted
https://aprendeconmireia.com/images/wBu/
http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/
https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/
http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3124 2888 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2320 2888 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 644 2888 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1560 2888 regsvr32.exe 65 -
Downloads MZ/PE file
-
Loads dropped DLL 5 IoCs
pid Process 3124 regsvr32.exe 3124 regsvr32.exe 2320 regsvr32.exe 644 regsvr32.exe 1560 regsvr32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yUIRJmByc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UDwInY\\yUIRJmByc.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uJqy.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RvezEAWChK\\uJqy.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQiimVR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TzWJfYwhsmCQl\\MQiimVR.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HfhKkWbrUFej.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GVeClulHert\\HfhKkWbrUFej.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2888 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3124 regsvr32.exe 3124 regsvr32.exe 5064 regsvr32.exe 5064 regsvr32.exe 5064 regsvr32.exe 5064 regsvr32.exe 2320 regsvr32.exe 2320 regsvr32.exe 4604 regsvr32.exe 4604 regsvr32.exe 4604 regsvr32.exe 4604 regsvr32.exe 644 regsvr32.exe 644 regsvr32.exe 1208 regsvr32.exe 1208 regsvr32.exe 1208 regsvr32.exe 1208 regsvr32.exe 1560 regsvr32.exe 1560 regsvr32.exe 904 regsvr32.exe 904 regsvr32.exe 904 regsvr32.exe 904 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2888 EXCEL.EXE 2888 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE 2888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2888 wrote to memory of 3124 2888 EXCEL.EXE 70 PID 2888 wrote to memory of 3124 2888 EXCEL.EXE 70 PID 3124 wrote to memory of 5064 3124 regsvr32.exe 72 PID 3124 wrote to memory of 5064 3124 regsvr32.exe 72 PID 2888 wrote to memory of 2320 2888 EXCEL.EXE 73 PID 2888 wrote to memory of 2320 2888 EXCEL.EXE 73 PID 2320 wrote to memory of 4604 2320 regsvr32.exe 75 PID 2320 wrote to memory of 4604 2320 regsvr32.exe 75 PID 2888 wrote to memory of 644 2888 EXCEL.EXE 76 PID 2888 wrote to memory of 644 2888 EXCEL.EXE 76 PID 644 wrote to memory of 1208 644 regsvr32.exe 77 PID 644 wrote to memory of 1208 644 regsvr32.exe 77 PID 2888 wrote to memory of 1560 2888 EXCEL.EXE 78 PID 2888 wrote to memory of 1560 2888 EXCEL.EXE 78 PID 1560 wrote to memory of 904 1560 regsvr32.exe 79 PID 1560 wrote to memory of 904 1560 regsvr32.exe 79
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\UDwInY\yUIRJmByc.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\RvezEAWChK\uJqy.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\TzWJfYwhsmCQl\MQiimVR.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GVeClulHert\HfhKkWbrUFej.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:904
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
818KB
MD5e3357ff3cf4262cdda7f10acee3d5547
SHA1e30c7c1891739b59e71df97cd5329ec64310f379
SHA256d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd
SHA512b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0
-
Filesize
818KB
MD575186b55e8003b67bda0ff19d6cc9489
SHA1e8fcc5b3fb9fdc21904ce3ed5389511c54e2fd06
SHA256bb2432759f2ef8c9607326db74133e2b810a91b4fcd14c57deeb520cae345846
SHA512a0a44096a5be513e6e37a20c551f5918ee607cc8bdcdf058d9ba27f924090bfdb1f0498fa8970c421da2c48270b161aae2a898f2b87e9908fcc0391a798b1295
-
Filesize
818KB
MD5504a276ef53e287c2ba935ec29e35ac8
SHA19f623736ee17c2946ea55341c90770636faf4fcc
SHA2568a3a294f6914332f4ba737341c332d5400441ac40f11df3694c14bcddf1e3510
SHA51229ec83c558434dda7f015161dbdaab7069575d184b9f831e953613ad02c12b6c373b4009ec40a4105e236ee31029107616caae34587c85b9185577e9021f23d5
-
Filesize
818KB
MD5a749296efb9290da3d134fea8df4b272
SHA12b84d4c985e1a54a3e1b34cfcf44341bf110bcc8
SHA2565b2a6a3ab952ebd6502fca0ab4a902e5982890040625de9359d7b7754b5337c0
SHA512461d32e6a5a2091124b0cdf22de9be017344ed3ec3ba336bfeba3b3f90bc8dc70b56035e5112c93c5937951c91ac284419be59eecb58b1c3ef8e416e797aad56
-
Filesize
818KB
MD5e3357ff3cf4262cdda7f10acee3d5547
SHA1e30c7c1891739b59e71df97cd5329ec64310f379
SHA256d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd
SHA512b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0
-
Filesize
818KB
MD5e3357ff3cf4262cdda7f10acee3d5547
SHA1e30c7c1891739b59e71df97cd5329ec64310f379
SHA256d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd
SHA512b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0
-
Filesize
818KB
MD575186b55e8003b67bda0ff19d6cc9489
SHA1e8fcc5b3fb9fdc21904ce3ed5389511c54e2fd06
SHA256bb2432759f2ef8c9607326db74133e2b810a91b4fcd14c57deeb520cae345846
SHA512a0a44096a5be513e6e37a20c551f5918ee607cc8bdcdf058d9ba27f924090bfdb1f0498fa8970c421da2c48270b161aae2a898f2b87e9908fcc0391a798b1295
-
Filesize
818KB
MD5504a276ef53e287c2ba935ec29e35ac8
SHA19f623736ee17c2946ea55341c90770636faf4fcc
SHA2568a3a294f6914332f4ba737341c332d5400441ac40f11df3694c14bcddf1e3510
SHA51229ec83c558434dda7f015161dbdaab7069575d184b9f831e953613ad02c12b6c373b4009ec40a4105e236ee31029107616caae34587c85b9185577e9021f23d5
-
Filesize
818KB
MD5a749296efb9290da3d134fea8df4b272
SHA12b84d4c985e1a54a3e1b34cfcf44341bf110bcc8
SHA2565b2a6a3ab952ebd6502fca0ab4a902e5982890040625de9359d7b7754b5337c0
SHA512461d32e6a5a2091124b0cdf22de9be017344ed3ec3ba336bfeba3b3f90bc8dc70b56035e5112c93c5937951c91ac284419be59eecb58b1c3ef8e416e797aad56