Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
04/11/2022, 05:30 UTC
Behavioral task
behavioral1
Sample
b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls
Resource
win10-20220901-en
General
-
Target
b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls
-
Size
217KB
-
MD5
dab2910a25d6f162a6d723f803ed0416
-
SHA1
91fa3e449d1f226da2e265720afd7bd3c8debe74
-
SHA256
b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067
-
SHA512
c34c835113029a5bbc34508513de353958a217ec15e598fc83c79909fc20740d8493380c821277c452b871e78ce2f2f432bd216ccaba121814b7955ee11ea5b2
-
SSDEEP
6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQmo:JbGUMVWlbo
Malware Config
Extracted
http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
http://armannahalpersian.ir/3H5qqUOB/
http://alagi.ge/application/irnz5Rs8qWvQrf/
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3816 3104 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4736 3104 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3336 3104 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2952 3104 regsvr32.exe 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3104 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3104 EXCEL.EXE 3104 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3104 wrote to memory of 3816 3104 EXCEL.EXE 68 PID 3104 wrote to memory of 3816 3104 EXCEL.EXE 68 PID 3104 wrote to memory of 4736 3104 EXCEL.EXE 69 PID 3104 wrote to memory of 4736 3104 EXCEL.EXE 69 PID 3104 wrote to memory of 3336 3104 EXCEL.EXE 70 PID 3104 wrote to memory of 3336 3104 EXCEL.EXE 70 PID 3104 wrote to memory of 2952 3104 EXCEL.EXE 71 PID 3104 wrote to memory of 2952 3104 EXCEL.EXE 71
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
PID:3816
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
PID:4736
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
PID:3336
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
PID:2952
-
Network
-
Remote address:8.8.8.8:53Requestaquariorecords.com.brIN AResponseaquariorecords.com.brIN A100.126.19.237
-
Remote address:100.126.19.237:80RequestGET /wp-content/A8G3ownNApEj1L4hF/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: aquariorecords.com.br
Connection: Keep-Alive
ResponseHTTP/1.0 404 Not Found
-
Remote address:8.8.8.8:53Requestftp.pricoat.com.mxIN AResponseftp.pricoat.com.mxIN A100.90.51.226
-
Remote address:100.90.51.226:80RequestGET /Fichas/3ybJLLXu5zqqn8Sx/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ftp.pricoat.com.mx
Connection: Keep-Alive
ResponseHTTP/1.0 404 Not Found
-
Remote address:8.8.8.8:53Requestarmannahalpersian.irIN AResponsearmannahalpersian.irIN A100.67.165.3
-
Remote address:100.67.165.3:80RequestGET /3H5qqUOB/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: armannahalpersian.ir
Connection: Keep-Alive
ResponseHTTP/1.0 404 Not Found
-
Remote address:8.8.8.8:53Requestalagi.geIN AResponsealagi.geIN A100.116.145.64
-
Remote address:100.116.145.64:80RequestGET /application/irnz5Rs8qWvQrf/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: alagi.ge
Connection: Keep-Alive
ResponseHTTP/1.0 404 Not Found
-
836 B 368 B 11 8
HTTP Request
GET http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/HTTP Response
404 -
736 B 368 B 9 8
HTTP Request
GET http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/HTTP Response
404 -
723 B 368 B 9 8
HTTP Request
GET http://armannahalpersian.ir/3H5qqUOB/HTTP Response
404 -
729 B 368 B 9 8
HTTP Request
GET http://alagi.ge/application/irnz5Rs8qWvQrf/HTTP Response
404
-
67 B 104 B 1 1
DNS Request
aquariorecords.com.br
DNS Response
100.126.19.237
-
64 B 98 B 1 1
DNS Request
ftp.pricoat.com.mx
DNS Response
100.90.51.226
-
66 B 102 B 1 1
DNS Request
armannahalpersian.ir
DNS Response
100.67.165.3
-
54 B 78 B 1 1
DNS Request
alagi.ge
DNS Response
100.116.145.64