Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

orden de compra.xls

windows7-x64

10

orden de compra.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    1s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2023, 16:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    orden de compra.xls

  • Size

    391KB

  • MD5

    060f999d180fb2c37059815ebd76e38e

  • SHA1

    605c01289d5b683a3d5b5eb17ebef72bfc388f91

  • SHA256

    ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

  • SHA512

    a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e

  • SSDEEP

    6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\orden de compra.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2992
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
    1⤵
      PID:5096
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:948
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:3280

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          GET
          http://140.228.29.227/microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything.Doc
          EXCEL.EXE
          Remote address:
          140.228.29.227:80
          Request
          GET /microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything.Doc HTTP/1.1
          Accept: */*
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
          Host: 140.228.29.227
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Content-Type: application/msword
          Last-Modified: Thu, 07 Dec 2023 14:40:00 GMT
          Accept-Ranges: bytes
          ETag: "b9d3a7411b29da1:0"
          Server: Microsoft-IIS/10.0
          Date: Thu, 07 Dec 2023 16:45:46 GMT
          Content-Length: 61090
        • flag-us
          DNS
          23.181.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.181.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          202.178.17.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          202.178.17.96.in-addr.arpa
          IN PTR
          Response
          202.178.17.96.in-addr.arpa
          IN PTR
          a96-17-178-202deploystaticakamaitechnologiescom
        • flag-us
          DNS
          97.32.109.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.32.109.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          9.228.82.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          9.228.82.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          227.29.228.140.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          227.29.228.140.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          41.110.16.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          41.110.16.96.in-addr.arpa
          IN PTR
          Response
          41.110.16.96.in-addr.arpa
          IN PTR
          a96-16-110-41deploystaticakamaitechnologiescom
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • flag-us
          DNS
          208.143.182.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          208.143.182.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          18.134.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.134.221.88.in-addr.arpa
          IN PTR
          Response
          18.134.221.88.in-addr.arpa
          IN PTR
          a88-221-134-18deploystaticakamaitechnologiescom
        • flag-us
          DNS
          0.205.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.205.248.87.in-addr.arpa
          IN PTR
          Response
          0.205.248.87.in-addr.arpa
          IN PTR
          https-87-248-205-0lgwllnwnet
        • flag-us
          DNS
          23.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.236.111.52.in-addr.arpa
          IN PTR
          Response
        • 140.228.29.227:80
          http://140.228.29.227/microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything.Doc
          http
          EXCEL.EXE
          2.7kB
           63.2kB
           50
          47

          HTTP Request

          GET http://140.228.29.227/microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything.Doc

          HTTP Response

          200
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls
          1.2kB
           8.3kB
           16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls
          24.6kB
           703.6kB
           517
          514
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          23.181.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          23.181.190.20.in-addr.arpa

        • 8.8.8.8:53
          202.178.17.96.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          202.178.17.96.in-addr.arpa

        • 8.8.8.8:53
          97.32.109.52.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          97.32.109.52.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          9.228.82.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          9.228.82.20.in-addr.arpa

        • 8.8.8.8:53
          227.29.228.140.in-addr.arpa
          dns
          73 B
           127 B
           1
          1

          DNS Request

          227.29.228.140.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        • 8.8.8.8:53
          41.110.16.96.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          41.110.16.96.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
           173 B
           1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          73 B
           106 B
           1
          1

          DNS Request

          200.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          208.143.182.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          208.143.182.52.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          18.134.221.88.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          18.134.221.88.in-addr.arpa

        • 8.8.8.8:53
          0.205.248.87.in-addr.arpa
          dns
          71 B
           116 B
           1
          1

          DNS Request

          0.205.248.87.in-addr.arpa

        • 8.8.8.8:53
          23.236.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          23.236.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
          Filesize

          471B

          MD5

          f4753a8b6608192bc45622d050f66ac7

          SHA1

          77dd778225700e5f8af168f320a8398a1ac2f3f1

          SHA256

          d55f92fe3e4fb2adff9eba7cc9a86f835069648a5b08452e4b772241631fd318

          SHA512

          8248ca77161b3cde32e203dd2927f31929b20bb998a52856c359c964472cf1e6728a7e26e634fbefe1a3762f1e295b44d4fa5bd5384e3d67557ebc323062e70d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
          Filesize

          412B

          MD5

          82c508caeb6f9f0d6023e2b6276d76cf

          SHA1

          4bcb199cd1640b0744c4fd279f2b75b005321ab0

          SHA256

          cb13f3828355e03a71b64e0608af8c7e8129dcaa0d9063e2c6cddc001874e3bc

          SHA512

          3ba4bf3cda5a45ec0072a5426aa9ecc6ea599f0b8641e2ab7f2605faec2f486e4c290a6b991930bc8e58279f9f451c69d4d6f955aff8310fcb291346fc627836

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E3246B7F-541A-4A4A-ABCB-3D1194CAB765
          Filesize

          158KB

          MD5

          b0df96ab3292153695d153531015847f

          SHA1

          f7ac497aa1e7817fd2628c8527026a5aabc1a55c

          SHA256

          3b590da58bae7a37ba09a456f7f8f8911322d250eabe6a9bebf207b619183228

          SHA512

          da424bd59e908c08b087bfd8e4520f800bd3bf957402a92c13ac8a955b3357a45ff5d4f8ad563932eba11070fd33c63d45750abd7ade56747647b4029366a520

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
          Filesize

          2KB

          MD5

          88c8dcc6e463b4f5b5d0f06e7e34c4c5

          SHA1

          efc08370b3cf84abcb6bcfdf50a75f2f182d7bad

          SHA256

          cae6755522baf1f1cd103ac19070933458ee6756428d91f584941648b022dc5f

          SHA512

          a9b2733eb2c770c44cae97d9329c952fc8c4824d6587720bf827ec9f80de2acc5f400aad78af61ba001763346f3f8d7c7aeacb3cc6a9be14fa7814c3c1ca57a4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
          Filesize

          2KB

          MD5

          1eee4586ea55678475ed844a6ef707be

          SHA1

          8b18be2d72395d8a763f77f3ffba4860f4292e4f

          SHA256

          c0aca9f4a536faacf2be2b21dc4e27432fde2f73d53c730ca9a4505fe5334993

          SHA512

          6a61a4dca03a6231ea3ed9ee1824b196999b6fa7ea510af4ffe2a66ab8498a980efeabef9effa96ec6c2ee843f1b0cf5bbf49d2448897e3b676672454b4f7431

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything[1].doc
          Filesize

          59KB

          MD5

          ed5d8e3f7b96288d349f167b737b0e32

          SHA1

          d855f8bac1e28f42abe38db048e8839615db1be4

          SHA256

          f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

          SHA512

          4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

          Download Submit

        • memory/2992-11-0x00007FFB85C70000-0x00007FFB85C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-2-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-7-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-10-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-12-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-0-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-6-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-14-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-15-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-13-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-16-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-17-0x00007FFB85C70000-0x00007FFB85C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-19-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-20-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-18-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-116-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-65-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-1-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-3-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-9-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-5-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2992-4-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-8-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-32-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-66-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-39-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-41-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-40-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-37-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-43-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-36-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-42-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-34-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-108-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5096-107-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5096-106-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5096-105-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5096-104-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5096-30-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

          Filesize

          2.0MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.