Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 23:04
Behavioral task
behavioral1
Sample
103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm
Resource
win10v2004-20241007-en
General
-
Target
103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm
-
Size
95KB
-
MD5
b8ef30e42daf23205594b91d18714f12
-
SHA1
f175735d8b57549094a99ceebb4a154e06fdf1d4
-
SHA256
103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787
-
SHA512
fa5e670cf4e3c523516a297810da289f6c2882ba3d7cf6ae1433b841603a17777dee02bab5b9c2f6bfe84c05a43cd86cc137d6e4128d7faf2d64c780e460252d
-
SSDEEP
1536:sQxfGWXG8v5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVFfw:s2318DsVhonV69o2bchgGaWBcpA+fw
Malware Config
Extracted
https://ashirvadgroup.com/wp-admin/LtoH5AWneDBZIV2D/
https://patriciamirapsicologa.com/wp-includes/fVVa9DXB/
https://forfreeiptv.com/wp-admin/s5Oxoskqv8/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1444 1344 regsvr32.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1344 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1344 EXCEL.EXE 1344 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE 1344 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1444 1344 EXCEL.EXE 92 PID 1344 wrote to memory of 1444 1344 EXCEL.EXE 92 PID 1344 wrote to memory of 1444 1344 EXCEL.EXE 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\103ba9f15e2da46a4ff8be0e05b0a45c21a94a5a72d0042fe791b81a677f6787.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWow64\regsvr32.exeC:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:1444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD541d5a50a68b8fdb761d98896c09ea96c
SHA10720346df2082d43f2c47eae213b6cfe3aac326f
SHA2560ce3114ea29926bff768fc39ed5825e76cf5cd3c63fe55743998773f7d2f85d9
SHA512619798be3ba8e16154095bad796eeeadef1502a1344c27d360212cbe918cfdc0e638bf97a72cbd86387f178d514f86bc704651d69371d1de7bebdc0c93ab174a
-
Filesize
497B
MD544e3c3252241233634d734f16d2f52fb
SHA12336f85baaa4aa39a93d7d05775bc403aa1c9b3c
SHA25656237adc22006983a37b8c2964988d3dcf60edd7af2a8739191a529511fd5ba5
SHA512bf8cbc52a1524568884c5323089c20dcc9bdd2fc448ade59ca4e5c77d8a574ad590155e548da43ba4798e1bbf131ad05b53605666ce2aa571e9239dcf892878a