Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

Users/kmla...on.htm

windows7-x64

1

Users/kmla...on.htm

windows10-2004-x64

1

Resubmissions

26/09/2022, 19:00 UTC

220926-xnpnfsbgd8 1

26/09/2022, 16:07 UTC

220926-tkzsgacdhq 1

26/09/2022, 15:41 UTC

220926-s44ebsbca5 1

26/09/2022, 15:29 UTC

220926-sw34lacdbp 1

Analysis

  • max time kernel
    134s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 15:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Users/kmlarsen/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/W4YE5R4Y/☎️ Voicemail Audio Transcription.htm

  • Size

    13KB

  • MD5

    743bce526b069f0c70069210fbf399b1

  • SHA1

    884b1d100def065ba2964f81bcea919a44a3a2f1

  • SHA256

    2dbd2d653764003082326aacc9b1267075039f95446517cf6560a74785828e16

  • SHA512

    e0b79bc1cb7be72282ce7373957c1af7f3e2333efe60b055a0acbb3fd6563da7c39e1a0520597797f99d7f28b898e19f2957103a67cc954c549964fac24c26eb

  • SSDEEP

    384:KbcrRYCh//If1GdYxNAPoIIklxYq/KxnppHltlfKRLWcwgWwaThTZbKob7/:KbcrR95Qf1EYxNAAIzlxYGKxnppHltlj

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Users\kmlarsen\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\W4YE5R4Y\☎️ Voicemail Audio Transcription.htm"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:532

Network

  • flag-us
    DNS
    ajax.googleapis.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    ajax.googleapis.com
    IN A
    Response
    ajax.googleapis.com
    IN A
    142.250.179.170
  • flag-nl
    GET
    https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
    IEXPLORE.EXE
    Remote address:
    142.250.179.170:443
    Request
    GET /ajax/libs/jquery/3.4.1/jquery.min.js HTTP/2.0
    host: ajax.googleapis.com
    accept: application/javascript, */*;q=0.8
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    Response
    HTTP/2.0 200
    accept-ranges: bytes
    vary: Accept-Encoding
    content-encoding: gzip
    access-control-allow-origin: *
    content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/hosted-libraries-pushers
    cross-origin-resource-policy: cross-origin
    cross-origin-opener-policy: same-origin; report-to="hosted-libraries-pushers"
    report-to: {"group":"hosted-libraries-pushers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers"}]}
    timing-allow-origin: *
    content-length: 30774
    x-content-type-options: nosniff
    server: sffe
    x-xss-protection: 0
    date: Sun, 25 Sep 2022 17:58:03 GMT
    expires: Mon, 25 Sep 2023 17:58:03 GMT
    cache-control: public, max-age=31536000, stale-while-revalidate=2592000
    last-modified: Mon, 13 May 2019 14:37:17 GMT
    content-type: text/javascript; charset=UTF-8
    age: 78234
    alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
  • flag-us
    DNS
    aadcdn.msftauth.net
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    aadcdn.msftauth.net
    IN A
    Response
    aadcdn.msftauth.net
    IN CNAME
    cs1100.wpc.omegacdn.net
    cs1100.wpc.omegacdn.net
    IN A
    152.199.23.37
  • flag-us
    GET
    https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css
    IEXPLORE.EXE
    Remote address:
    152.199.23.37:443
    Request
    GET /ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css HTTP/2.0
    host: aadcdn.msftauth.net
    accept: text/css, */*
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    Response
    HTTP/2.0 200
    content-encoding: gzip
    accept-ranges: bytes
    access-control-allow-origin: *
    access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
    age: 175843
    cache-control: public, max-age=31536000
    content-md5: xg2DER+s52egaL6bUXi4hw==
    content-type: text/css
    date: Mon, 26 Sep 2022 15:41:57 GMT
    etag: 0x8DA2180E9C582E0
    last-modified: Mon, 18 Apr 2022 21:17:58 GMT
    server: ECAcc (amc/BC42)
    vary: Accept-Encoding
    x-cache: HIT
    x-ms-blob-type: BlockBlob
    x-ms-lease-status: unlocked
    x-ms-request-id: 9e21be3b-201e-007b-0e25-d03711000000
    x-ms-version: 2009-09-19
    content-length: 19953
  • flag-us
    GET
    https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg
    IEXPLORE.EXE
    Remote address:
    152.199.23.37:443
    Request
    GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/2.0
    host: aadcdn.msftauth.net
    accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    Response
    HTTP/2.0 200
    content-encoding: gzip
    accept-ranges: bytes
    access-control-allow-origin: *
    access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
    age: 401383
    cache-control: public, max-age=31536000
    content-md5: TjUQkZ0p0Y7rbj6LJofS9Q==
    content-type: image/svg+xml
    date: Mon, 26 Sep 2022 15:41:58 GMT
    etag: 0x8D79A1B9B05915D
    last-modified: Thu, 16 Jan 2020 00:32:45 GMT
    server: ECAcc (amc/BC26)
    vary: Accept-Encoding
    x-cache: HIT
    x-ms-blob-type: BlockBlob
    x-ms-lease-status: unlocked
    x-ms-request-id: 86f1a837-901e-0002-3717-ced3e8000000
    x-ms-version: 2009-09-19
    content-length: 276
  • flag-us
    GET
    https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
    IEXPLORE.EXE
    Remote address:
    152.199.23.37:443
    Request
    GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/2.0
    host: aadcdn.msftauth.net
    accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    Response
    HTTP/2.0 200
    content-encoding: gzip
    accept-ranges: bytes
    access-control-allow-origin: *
    access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
    age: 401415
    cache-control: public, max-age=31536000
    content-md5: nzaLxFgP7ZB3dfMcaybWzw==
    content-type: image/svg+xml
    date: Mon, 26 Sep 2022 15:41:58 GMT
    etag: 0x8D79A1B9F5E121A
    last-modified: Thu, 16 Jan 2020 00:32:52 GMT
    server: ECAcc (amc/BC34)
    vary: Accept-Encoding
    x-cache: HIT
    x-ms-blob-type: BlockBlob
    x-ms-lease-status: unlocked
    x-ms-request-id: 8196e058-b01e-0055-3717-ce88ae000000
    x-ms-version: 2009-09-19
    content-length: 1435
  • flag-us
    GET
    https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg
    IEXPLORE.EXE
    Remote address:
    152.199.23.37:443
    Request
    GET /shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg HTTP/2.0
    host: aadcdn.msftauth.net
    accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
    accept-language: en-US
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    accept-encoding: gzip, deflate
    Response
    HTTP/2.0 200
    content-encoding: gzip
    accept-ranges: bytes
    access-control-allow-origin: *
    access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
    age: 401415
    cache-control: public, max-age=31536000
    content-md5: DhdidjYrlCeaRJJRG/y9mA==
    content-type: image/svg+xml
    date: Mon, 26 Sep 2022 15:41:58 GMT
    etag: 0x8D7B007297AE131
    last-modified: Wed, 12 Feb 2020 22:01:50 GMT
    server: ECAcc (amc/BC4E)
    vary: Accept-Encoding
    x-cache: HIT
    x-ms-blob-type: BlockBlob
    x-ms-lease-status: unlocked
    x-ms-request-id: 7b32b025-b01e-0055-7b17-ce88ae000000
    x-ms-version: 2009-09-19
    content-length: 673
  • 142.250.179.170:443
    ajax.googleapis.com
    tls, https
    IEXPLORE.EXE
    1.1kB
     5.5kB
     15
    11
  • 142.250.179.170:443
    https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
    tls, http2
    IEXPLORE.EXE
    2.5kB
     38.7kB
     42
    36

    HTTP Request

    GET https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js

    HTTP Response

    200
  • 152.199.23.37:443
    https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg
    tls, http2
    IEXPLORE.EXE
    2.8kB
     30.6kB
     41
    39

    HTTP Request

    GET https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css

    HTTP Response

    200

    HTTP Request

    GET https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg

    HTTP Request

    GET https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg

    HTTP Response

    200
  • 152.199.23.37:443
    aadcdn.msftauth.net
    tls, http2
    IEXPLORE.EXE
    1.3kB
     6.0kB
     18
    17
  • 20.189.173.12:443
    322 B
     7
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    iexplore.exe
    1.2kB
     8.1kB
     15
    14
  • 8.8.8.8:53
    ajax.googleapis.com
    dns
    IEXPLORE.EXE
    65 B
     81 B
     1
    1

    DNS Request

    ajax.googleapis.com

    DNS Response

    142.250.179.170

  • 8.8.8.8:53
    aadcdn.msftauth.net
    dns
    IEXPLORE.EXE
    65 B
     115 B
     1
    1

    DNS Request

    aadcdn.msftauth.net

    DNS Response

    152.199.23.37

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.