Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

Штатк...�.xlsx

windows11-21h2-x64

1

Analysis

  • max time kernel
    47s
  • max time network
    14s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/05/2024, 14:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Штатка_ТЦК_Деснянского_района_в_г_Киев.xlsx

  • Size

    442KB

  • MD5

    b5079dd93a5c3ed0902d825c2b13d3fb

  • SHA1

    0c5ba1a38c4c912c985e92f15e40abef99fdd808

  • SHA256

    436f30c03b857edf3ab9cd7e833327844bb6e9d27cc0fe34590c5d11bee944dd

  • SHA512

    d668d5dee47d41cbae3bc014d68506bb245017403914f4adea21d3297ec08689b0ac90c574b1125383f6329100948471db4ec83b0cef76326dbcb4dfe45c6ea9

  • SSDEEP

    6144:5lREBTRORW0qwh+4TdB3jZJWamgcdhyuEpNnYbXXDIC1K8fPl/VvOz:cdORjqws4T36XdoNnY7TIve5Fu

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Штатка_ТЦК_Деснянского_района_в_г_Киев.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3152

Network

  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    frc-azsc-000.roaming.officeapps.live.com
    frc-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    IN A
    52.109.68.129
  • flag-us
    DNS
    46.28.109.52.in-addr.arpa
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    46.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.24.18.2.in-addr.arpa
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    25.24.18.2.in-addr.arpa
    IN PTR
    Response
    25.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    35.197.79.40.in-addr.arpa
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    35.197.79.40.in-addr.arpa
    IN PTR
    Response
  • flag-fr
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.68.129:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_159
    X-OfficeVersion: 16.0.17711.30575
    X-OfficeCluster: frc-000.roaming.officeapps.live.com
    X-CorrelationId: f064f39b-9e67-4346-bee9-56f24b124096
    X-Powered-By: ASP.NET
    Date: Wed, 22 May 2024 14:52:34 GMT
    Content-Length: 654
  • 52.109.68.129:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.9kB
     8.5kB
     14
    12

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    356 B
     829 B
     5
    5

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.68.129

    DNS Request

    46.28.109.52.in-addr.arpa

    DNS Request

    71.159.190.20.in-addr.arpa

    DNS Request

    25.24.18.2.in-addr.arpa

    DNS Request

    35.197.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3152-0-0x00007FF817B50000-0x00007FF817B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-2-0x00007FF817B50000-0x00007FF817B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-1-0x00007FF817B50000-0x00007FF817B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-5-0x00007FF817B50000-0x00007FF817B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-3-0x00007FF857B63000-0x00007FF857B64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3152-4-0x00007FF817B50000-0x00007FF817B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-7-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-6-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-11-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-10-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-9-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-8-0x00007FF815610000-0x00007FF815620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-13-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-12-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-15-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-16-0x00007FF815610000-0x00007FF815620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-17-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-18-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-20-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-21-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-19-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-14-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-33-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-34-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3152-35-0x00007FF857AC0000-0x00007FF857CC9000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.