Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 03:13
Behavioral task
behavioral1
Sample
25f943be1bb8caf3d5954dbb68a908b9.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
25f943be1bb8caf3d5954dbb68a908b9.xlsm
Resource
win10v2004-20231215-en
General
-
Target
25f943be1bb8caf3d5954dbb68a908b9.xlsm
-
Size
58KB
-
MD5
25f943be1bb8caf3d5954dbb68a908b9
-
SHA1
880ac0354c7b1b31e053396aef83061b8642873f
-
SHA256
e5936f60478373eb2bba2acb992531d5c753130937f3ecc160904a5663b4c31b
-
SHA512
bd00c37a6113066cb4face6436d75aefaf197110b7910a48b40ea6a0d876bf30db2cb333eff5e200f508c6139922ce375b41848ee41fbcd074e95d191f7fea7d
-
SSDEEP
1536:i4AMGEjM2PK88BNVuzFr4Vd6j0BNn5U1Wh:/y2CB/VcRo8+
Malware Config
Extracted
http://metalpro.com.ng/url.zip
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3056 3776 regsvr32.exe 54 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3776 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3776 EXCEL.EXE 3776 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE 3776 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3776 wrote to memory of 3056 3776 EXCEL.EXE 114 PID 3776 wrote to memory of 3056 3776 EXCEL.EXE 114
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 -silent ..\we.hide2⤵
- Process spawned unexpected child process
PID:3056
-