Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
16/02/2023, 18:54
Behavioral task
behavioral1
Sample
paquete_3841728.xlsm
Resource
win10-20220812-en
General
-
Target
paquete_3841728.xlsm
-
Size
46KB
-
MD5
848e5d22345ad8b064cf0da589a28db2
-
SHA1
e1dd2f21d103c0e012dcb29ea7f982803b37689c
-
SHA256
34ebe038a8b30eebad90de95dc17f118029a11a0450ceb36fee4741a4c226cb3
-
SHA512
2e95cfd295e94e5d1e69710c16a20b5f6c4797695f670732c0607dccd0260c9d50f57dae59f277fb62b5959b8d88453a38cf5a4708d73fea810bd6601c2ee118
-
SSDEEP
768:SEoTBvDOevZCwrvtWzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2ceI:9olvDmtT5fTR4Lh1NisFYBc3cr+UqVUz
Malware Config
Extracted
http://moveconnects.com/wp-admin/network/7T8g9DAohsL/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4452 2664 regsvr32.exe 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2664 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE 2664 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 4452 2664 EXCEL.EXE 72 PID 2664 wrote to memory of 4452 2664 EXCEL.EXE 72 PID 2664 wrote to memory of 4452 2664 EXCEL.EXE 72
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\paquete_3841728.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx2⤵
- Process spawned unexpected child process
PID:4452
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD57db1ff0a75a3c2293ae95414f823a1f8
SHA1e0e8ddbbf98804b5fe2d2d6d31ebef028ac8fb00
SHA256c7c7f9a50622dc72bf609b99ce5095a1ef5f2ebe6f0dbc4c18397dca0b15105b
SHA512cbc07ff2f3a1c2b9e9daaff6a6c3d23846dd9c4bb8e9887f506f2adbcc64dd9cb99329c43d48fdaa3e281907d3d4a9306af716c06b8e785e93e9bb5ff660f81e