Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
29a5ee5c62d2a1b6288ccd499d020f2d.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
29a5ee5c62d2a1b6288ccd499d020f2d.xlsm
Resource
win10v2004-20231215-en
General
-
Target
29a5ee5c62d2a1b6288ccd499d020f2d.xlsm
-
Size
6KB
-
MD5
29a5ee5c62d2a1b6288ccd499d020f2d
-
SHA1
8e391c4bdd8ba4da4b18133753ea99f05831d193
-
SHA256
55a0b4992d4b6721998ac92e3cc4fa9b3384c71edf0e12cabb666359c654516d
-
SHA512
b6e5261e7fcfa3214bf31bb6bcd33cafba730f8d4e991eac3792ea7a42c4b8aac58819ed8a0a0428cc54fb821c6c0269eac1d255a75702936abec2d80e1dccf0
-
SSDEEP
192:NDSxuS7brA2OmmfRG8UhHFBFYuAb98ySci3f+Fx:NiucM2w81FYxb98y8k
Malware Config
Extracted
http://46.17.98.187/index.php
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5100 1428 DW20.EXE 79 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1428 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1428 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE 1428 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1428 wrote to memory of 5100 1428 EXCEL.EXE 92 PID 1428 wrote to memory of 5100 1428 EXCEL.EXE 92 PID 5100 wrote to memory of 4844 5100 DW20.EXE 93 PID 5100 wrote to memory of 4844 5100 DW20.EXE 93
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\29a5ee5c62d2a1b6288ccd499d020f2d.xlsm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 39362⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 39363⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4844
-
-