Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14/07/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
CI + PL.xls
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
CI + PL.xls
Resource
win10v2004-20230703-en
General
-
Target
CI + PL.xls
-
Size
1.4MB
-
MD5
22cbe162d221d7ab2ae7e185a38cd432
-
SHA1
6ee5a4da46169acb591f3572dfe8347afd2a937d
-
SHA256
81eb9a9c2bd5612d7e67a5dccae5a52cd02fa933d59eafbb2f318d7f79dce601
-
SHA512
4dacf9de7dbe2cc352039acb18768619707c5b7e2c96f4843156e204a32bec4ec986fedc484a446364decec7773bdfbb3e0d8519e2293237f18454da4ecef074
-
SSDEEP
24576:5+u9VNZylw6VfOZydw6VleHBlEzp7uOR0bgcwyA52hcP5YwVux:5+uPR6VfY96V8hOzWgjy+P5Yj
Malware Config
Extracted
lokibot
http://171.22.30.147/mous/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1724 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2976 IBM_Centiios.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 EQNEDT32.EXE 1724 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook IBM_Centiios.exe Key opened \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook IBM_Centiios.exe Key opened \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook IBM_Centiios.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1724 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1524 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2976 IBM_Centiios.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1524 EXCEL.EXE 1524 EXCEL.EXE 1524 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2976 1724 EQNEDT32.EXE 29 PID 1724 wrote to memory of 2976 1724 EQNEDT32.EXE 29 PID 1724 wrote to memory of 2976 1724 EQNEDT32.EXE 29 PID 1724 wrote to memory of 2976 1724 EQNEDT32.EXE 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook IBM_Centiios.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook IBM_Centiios.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\CI + PL.xls"1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IBM_Centiios.exe"C:\Users\Admin\AppData\Local\Temp\IBM_Centiios.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2976
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a01b9617553432807b9b58025b338d97
SHA1439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA2567a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee
-
Filesize
182KB
MD5f8cfc631cdbba89be07229acfa3bc367
SHA1d798e9b244aea4e95329e0558eb09ded3f5b5331
SHA2568b6f6b5068cfe8c9563ba3866d0f638b5e05aec677e3d30e2a2dc0187d6bd0e3
SHA5126ba926b20a5455c3bb03c54187f03c99b7ffae4912aee538b4f175997bef18b30757fbcaf8f6a19663d955c55039b945bba5f2ec663f7a8d920b45640b454192
-
Filesize
182KB
MD5f8cfc631cdbba89be07229acfa3bc367
SHA1d798e9b244aea4e95329e0558eb09ded3f5b5331
SHA2568b6f6b5068cfe8c9563ba3866d0f638b5e05aec677e3d30e2a2dc0187d6bd0e3
SHA5126ba926b20a5455c3bb03c54187f03c99b7ffae4912aee538b4f175997bef18b30757fbcaf8f6a19663d955c55039b945bba5f2ec663f7a8d920b45640b454192
-
Filesize
182KB
MD5f8cfc631cdbba89be07229acfa3bc367
SHA1d798e9b244aea4e95329e0558eb09ded3f5b5331
SHA2568b6f6b5068cfe8c9563ba3866d0f638b5e05aec677e3d30e2a2dc0187d6bd0e3
SHA5126ba926b20a5455c3bb03c54187f03c99b7ffae4912aee538b4f175997bef18b30757fbcaf8f6a19663d955c55039b945bba5f2ec663f7a8d920b45640b454192
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2969888527-3102471180-2307688834-1000\0f5007522459c86e95ffcc62f32308f1_5b94d649-9515-4998-acf2-675d441d6ce0
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2969888527-3102471180-2307688834-1000\0f5007522459c86e95ffcc62f32308f1_5b94d649-9515-4998-acf2-675d441d6ce0
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
182KB
MD5f8cfc631cdbba89be07229acfa3bc367
SHA1d798e9b244aea4e95329e0558eb09ded3f5b5331
SHA2568b6f6b5068cfe8c9563ba3866d0f638b5e05aec677e3d30e2a2dc0187d6bd0e3
SHA5126ba926b20a5455c3bb03c54187f03c99b7ffae4912aee538b4f175997bef18b30757fbcaf8f6a19663d955c55039b945bba5f2ec663f7a8d920b45640b454192
-
Filesize
182KB
MD5f8cfc631cdbba89be07229acfa3bc367
SHA1d798e9b244aea4e95329e0558eb09ded3f5b5331
SHA2568b6f6b5068cfe8c9563ba3866d0f638b5e05aec677e3d30e2a2dc0187d6bd0e3
SHA5126ba926b20a5455c3bb03c54187f03c99b7ffae4912aee538b4f175997bef18b30757fbcaf8f6a19663d955c55039b945bba5f2ec663f7a8d920b45640b454192