Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 21:28

General

  • Target

    27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls

  • Size

    94KB

  • MD5

    d526bceaedb1395c2450d92b345c9cbb

  • SHA1

    eb9afb5afd34908a0ae72eec5c0094c0d84818de

  • SHA256

    27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd

  • SHA512

    b5866f7d4b3b60f1b80589c1766559d646b2b95ba9c0eb4b7869d2b3d2692e21b9e5d87af860ce19758a71163be88e3f0cd4dc0da3b332d2c7026f241b5d7171

  • SSDEEP

    1536:JsKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgSUZx6FyxC3YGbl7BgWDFsqtNhWmDJdWZ:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgx

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://bosny.com/aspnet_client/NGTx1FUzq/

xlm40.dropper

https://www.berekethaber.com/hatax/c7crGdejW4380ORuxqR/

xlm40.dropper

https://bulldogironworksllc.com/temp/BBh5HHpei/

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\27eaac2d6f8b1a093074359e85e1deb5f1b5785381b49f6143849c583b1982fd.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 C:\Uduw\soam1.OCX
      2⤵
      • Process spawned unexpected child process
      PID:4036
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 C:\Uduw\soam2.OCX
      2⤵
      • Process spawned unexpected child process
      PID:4612
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 C:\Uduw\soam3.OCX
      2⤵
      • Process spawned unexpected child process
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

    Filesize

    1KB

    MD5

    98e36fce7b298c53b5c2e34bd4e7a34f

    SHA1

    133f724f3863381cce37043ebc6bc6d8796a3a89

    SHA256

    f51c4ef2478d4b83cfdd1ffccd59a2bbe692d5e32e60d826a467aa8b52584bd4

    SHA512

    56cf7018ef32290e993129a8e1ab8e78eb6da43e376a7f879a687f8c36874fb85b770e4eadeaba5e269b4fbd2496d9f47cdb385da17b04cd9766ae0970eb4511

  • memory/2168-23-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-50-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-10-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-12-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-22-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-13-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp

    Filesize

    64KB

  • memory/2168-8-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-7-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-14-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp

    Filesize

    64KB

  • memory/2168-6-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-16-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-18-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-5-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

    Filesize

    64KB

  • memory/2168-21-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-9-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-20-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-19-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-17-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-15-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-11-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-0-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

    Filesize

    64KB

  • memory/2168-1-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

    Filesize

    64KB

  • memory/2168-3-0x00007FFE2EDCD000-0x00007FFE2EDCE000-memory.dmp

    Filesize

    4KB

  • memory/2168-2-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

    Filesize

    64KB

  • memory/2168-52-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-51-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-53-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp

    Filesize

    2.0MB

  • memory/2168-4-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

    Filesize

    64KB