Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 07:08

General

  • Target

    03373999.xls

  • Size

    1.8MB

  • MD5

    fd4ea629d606346a6bce6b46ef0578f8

  • SHA1

    703f80d2bfbf6e2c4803e43a1a9fc994798a4dc1

  • SHA256

    62cbed8b8215059d60eb35d6b35ebc55bb0d5960fc71c3ac368bab71ddaa85a6

  • SHA512

    20a980058b2187dd057e5b3905446a8bb4202311770063acd5ba417d8ad9d4043f63340f212831c4a69cc77488ce8e9ecea10a06f8ad3b0c48407c9c17342d05

  • SSDEEP

    49152:4LK5g6ghO0EO0ida6Hg6ghO0EO0mda6V6Ds:oQgZmid/dgZmmd/QD

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\03373999.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1964
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Public\cleanmgrs.exe
      "C:\Users\Public\cleanmgrs.exe"
      2⤵
      • Checks QEMU agent file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Users\Public\cleanmgrs.exe
        "C:\Users\Public\cleanmgrs.exe"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7733B97D.emf

    Filesize

    34KB

    MD5

    5e32abe7ed20ed209866c70040c5b2e3

    SHA1

    b5dab88af0ec94ac9bd2bff4fb6a573a5f5c131d

    SHA256

    5a907b3394f4f553a4e0631930fbb6bed9c2a8ffcee562136766f09ad1087cb5

    SHA512

    665e29626990c2b0b761ceee2e2f095bcefdc08e12bfb6b63e60d245e60016f9db1b86485a5499b481d5d16c8a5407f22756552eb80dbf1f61cbcbfd6fc058c9

  • C:\Users\Admin\AppData\Local\Temp\TarB86F.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • C:\Users\Admin\AppData\Local\Temp\nso45CA.tmp\System.dll

    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Vintertid.lnk

    Filesize

    932B

    MD5

    d5c28c7059fe768f68f17365b3a90031

    SHA1

    f0efc047729081c3574434b29531e6423917b6ef

    SHA256

    dfebde5d75809750a5357803ba9da8e8348ac018a8e05c40968a254011d6dbcc

    SHA512

    dc3d79f761597bd9f08ecd794c3648c1ec2bee0866cc3a6fb53dabf3b612a6d83d30a5e53bd3da45f27bfd5626e7c9d6f80d2cdbd96d6d3cda373de7811913e1

  • C:\Users\Public\cleanmgrs.exe

    Filesize

    770KB

    MD5

    5acd030fa8d6773c21b19a4468727d05

    SHA1

    7d4e4f8e2145d381cf96c291782152737a976f29

    SHA256

    8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

    SHA512

    e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

  • C:\Users\Public\cleanmgrs.exe

    Filesize

    770KB

    MD5

    5acd030fa8d6773c21b19a4468727d05

    SHA1

    7d4e4f8e2145d381cf96c291782152737a976f29

    SHA256

    8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

    SHA512

    e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

  • C:\Users\Public\cleanmgrs.exe

    Filesize

    770KB

    MD5

    5acd030fa8d6773c21b19a4468727d05

    SHA1

    7d4e4f8e2145d381cf96c291782152737a976f29

    SHA256

    8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

    SHA512

    e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

  • C:\Users\Public\cleanmgrs.exe

    Filesize

    770KB

    MD5

    5acd030fa8d6773c21b19a4468727d05

    SHA1

    7d4e4f8e2145d381cf96c291782152737a976f29

    SHA256

    8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

    SHA512

    e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

  • \Users\Admin\AppData\Local\Temp\nso45CA.tmp\System.dll

    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

  • \Users\Admin\AppData\Local\Temp\nso45CA.tmp\System.dll

    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

  • \Users\Public\cleanmgrs.exe

    Filesize

    770KB

    MD5

    5acd030fa8d6773c21b19a4468727d05

    SHA1

    7d4e4f8e2145d381cf96c291782152737a976f29

    SHA256

    8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

    SHA512

    e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

  • memory/1348-97-0x0000000003860000-0x0000000004B34000-memory.dmp

    Filesize

    18.8MB

  • memory/1348-94-0x0000000003860000-0x0000000004B34000-memory.dmp

    Filesize

    18.8MB

  • memory/1700-98-0x0000000001470000-0x0000000002744000-memory.dmp

    Filesize

    18.8MB

  • memory/1700-99-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/1700-96-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/1700-248-0x0000000001470000-0x0000000002744000-memory.dmp

    Filesize

    18.8MB

  • memory/1964-1675-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1964-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB