Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:13
Behavioral task
behavioral1
Sample
25f943be1bb8caf3d5954dbb68a908b9.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
25f943be1bb8caf3d5954dbb68a908b9.xlsm
Resource
win10v2004-20231215-en
General
-
Target
25f943be1bb8caf3d5954dbb68a908b9.xlsm
-
Size
58KB
-
MD5
25f943be1bb8caf3d5954dbb68a908b9
-
SHA1
880ac0354c7b1b31e053396aef83061b8642873f
-
SHA256
e5936f60478373eb2bba2acb992531d5c753130937f3ecc160904a5663b4c31b
-
SHA512
bd00c37a6113066cb4face6436d75aefaf197110b7910a48b40ea6a0d876bf30db2cb333eff5e200f508c6139922ce375b41848ee41fbcd074e95d191f7fea7d
-
SSDEEP
1536:i4AMGEjM2PK88BNVuzFr4Vd6j0BNn5U1Wh:/y2CB/VcRo8+
Malware Config
Extracted
http://metalpro.com.ng/url.zip
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1220 1336 regsvr32.exe 21 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1336 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32 PID 1336 wrote to memory of 1220 1336 EXCEL.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -silent ..\we.hide2⤵
- Process spawned unexpected child process
PID:1220
-