Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

7a68fab530...55.xls

windows7-x64

1

7a68fab530...55.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    109s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 12:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a68fab530f7bee9a2caa6857bf619f77527a9e8be117bd205836f4824b63155.xls

  • Size

    657KB

  • MD5

    34289ef09df5968d45e9198b23d303cf

  • SHA1

    596e26b93e8e35c7abc655e1e55330fc17c80ce9

  • SHA256

    7a68fab530f7bee9a2caa6857bf619f77527a9e8be117bd205836f4824b63155

  • SHA512

    ce4bb7c6e5d87a0e6dab7f7063930bef32c9b18a28a11cea0c1d10430a27b68d7a74bfdac16d9bb6de9d9869a7b762c9f69a0cc042c5cb107b91abad9d882674

  • SSDEEP

    12288:hGp9y86twoD3yfdfNX3ZEcK0qMAc00Nb6e5ecs24QKLI:49y9twoDif1NZ3/BAc00sUTKL

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a68fab530f7bee9a2caa6857bf619f77527a9e8be117bd205836f4824b63155.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3156

Network

  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_586
    X-OfficeVersion: 16.0.17615.30576
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    X-CorrelationId: 2dcb8180-c5bd-46f8-a9c2-a569763a6c4b
    X-Powered-By: ASP.NET
    Date: Fri, 19 Apr 2024 12:13:49 GMT
    Content-Length: 654
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=18BB86E5892A65180E9D9283889164F9; domain=.bing.com; expires=Wed, 14-May-2025 12:13:51 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 86BF0B3DAC7548BEACCAC84F1B67BCE6 Ref B: LON04EDGE0907 Ref C: 2024-04-19T12:13:51Z
    date: Fri, 19 Apr 2024 12:13:51 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=18BB86E5892A65180E9D9283889164F9
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=pkJqbYqvWWtClus21CoZ3Tum8GVT39nhUQBNwTSaBYI; domain=.bing.com; expires=Wed, 14-May-2025 12:13:51 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B6624E5E15654D7CB2E7E45247F59673 Ref B: LON04EDGE0907 Ref C: 2024-04-19T12:13:51Z
    date: Fri, 19 Apr 2024 12:13:51 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=18BB86E5892A65180E9D9283889164F9; MSPTC=pkJqbYqvWWtClus21CoZ3Tum8GVT39nhUQBNwTSaBYI
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7A1ECC3E22D04C45B090EF353A8692EB Ref B: LON04EDGE0907 Ref C: 2024-04-19T12:13:51Z
    date: Fri, 19 Apr 2024 12:13:51 GMT
  • flag-us
    DNS
    206.221.208.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.221.208.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    132.250.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    132.250.30.184.in-addr.arpa
    IN PTR
    Response
    132.250.30.184.in-addr.arpa
    IN PTR
    a184-30-250-132deploystaticakamaitechnologiescom
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.139.73.23.in-addr.arpa
    IN PTR
    Response
    24.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.7kB
     7.7kB
     11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d02bf76dab0d4d2a8710fe15da124a27&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204
  • 52.142.223.178:80
    46 B
     1
  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    206.221.208.4.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    206.221.208.4.in-addr.arpa

  • 8.8.8.8:53
    132.250.30.184.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    132.250.30.184.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    18.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    18.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    24.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    24.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    22.236.111.52.in-addr.arpa

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3156-0-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-1-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-2-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-3-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-4-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-5-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-6-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-7-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-8-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-9-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-10-0x00007FFC50900000-0x00007FFC50910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-11-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-12-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-15-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-14-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-16-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-13-0x00007FFC50900000-0x00007FFC50910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-18-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-17-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-20-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-21-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-22-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-19-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-23-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-40-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-55-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-56-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-57-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-58-0x00007FFC529B0000-0x00007FFC529C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3156-60-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3156-59-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.