Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

discovery_...1).xls

windows7-x64

3

discovery_...1).xls

windows10-2004-x64

1

Analysis

  • max time kernel
    101s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 08:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    discovery_UDP&persistance_ssh(1).xls

  • Size

    72KB

  • MD5

    c9b8bf66f0fe8719bea195f39fa4e326

  • SHA1

    1e9ab72fd9eaf1f77c9bccca6efbd35786fd548f

  • SHA256

    3ea40aed7aa116bb3f817be11a879793838323cf38319190e39729f5997c6bb6

  • SHA512

    bee483be35ad0e640e8d0b894a4a6e5d9ecf289b0c22800b022d4b993f2a239bf7ed68379068d518b57c471a0396415b361eb6427fc76813cb8ac2f7b22aea9d

  • SSDEEP

    1536:750P2hrXiVKyVkgi/954kkGfnld+AbrKE47NsE8USnf3vH/YsKRi+LXWGlRvORBa:750P2hrXiVKyVkgi/954kkGfnld+Abro

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\discovery_UDP&persistance_ssh(1).xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4928

Network

  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2BC96E87620564C13CAF7A5363E5657D; domain=.bing.com; expires=Mon, 01-Sep-2025 08:57:43 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3392F0183C514B7B9250C5363AFCBCC1 Ref B: LON04EDGE1109 Ref C: 2024-08-07T08:57:43Z
    date: Wed, 07 Aug 2024 08:57:42 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2BC96E87620564C13CAF7A5363E5657D
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=HO-hHft2CVha2NVGDJOvignSDlLJrSAw4oM8WuenjZ8; domain=.bing.com; expires=Mon, 01-Sep-2025 08:57:43 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8229DB9BD70D498BA96D54CAA07EAB44 Ref B: LON04EDGE1109 Ref C: 2024-08-07T08:57:43Z
    date: Wed, 07 Aug 2024 08:57:42 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2BC96E87620564C13CAF7A5363E5657D; MSPTC=HO-hHft2CVha2NVGDJOvignSDlLJrSAw4oM8WuenjZ8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 33F57B41F5214F32A008EB060EBA20C9 Ref B: LON04EDGE1109 Ref C: 2024-08-07T08:57:43Z
    date: Wed, 07 Aug 2024 08:57:42 GMT
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.58.20.217.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9c151c18fb0495f81073cd569b00ac5&localId=w:568930E6-1262-9E23-EB49-CE8A389C3C60&deviceId=6966569430359306&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    10.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    tls
    74 B
     292 B
     1
    1
  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    100.58.20.217.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    100.58.20.217.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    a583168695e7bfce52f3fd6170d4ab05

    SHA1

    cc5518615f7086b24f08e8bd127c9f001cec792b

    SHA256

    b0a919a990b442d8d0f441870aae56f336ef9f6b2b94d3a82a93246c17cac5ec

    SHA512

    527ab5f20f77f5c876a97a54308e408660c3d9abe0d2c364bf99e5965cc914c306894e0a7ac0feb5ce85d9787f4959f323bd8ef5585958f306fd4630c273f679

    Download Submit

  • memory/4928-14-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-6-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-4-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-3-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-5-0x00007FF96336D000-0x00007FF96336E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4928-9-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-8-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-15-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-0-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-10-0x00007FF920A20000-0x00007FF920A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-2-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-11-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-7-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-13-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-12-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-17-0x00007FF920A20000-0x00007FF920A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-1-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-28-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4928-44-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-45-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-47-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-46-0x00007FF923350000-0x00007FF923360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-48-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.