Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08/08/2024, 01:28 UTC
General
-
Target
9208b14ce2fcf454161bd1aefa9fcb69ee1c3deb8a6d719c1cca5d509c169f31.xls
-
Size
316KB
-
MD5
a9149db99d4261753f677d94bcbdbf9d
-
SHA1
426d1120da358147c7b37bef0e1876ad6868687f
-
SHA256
9208b14ce2fcf454161bd1aefa9fcb69ee1c3deb8a6d719c1cca5d509c169f31
-
SHA512
ce0c1d504d796d4b0dfc3a519026371737bd3582762140084e287c99b671a9201a81d00d49b580fdef9a49025ac4e034eb660c3f05f31c0e11820d41c09e57b3
-
SSDEEP
6144:kj9MG1KnfoHx83xjL0M+cJh3hOmzTX1Zs5FLKEG86:kj9MGAn0yh47cJymzT3s5FLXv6
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9208b14ce2fcf454161bd1aefa9fcb69ee1c3deb8a6d719c1cca5d509c169f31.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
-
DNSurlty.coRemote address:8.8.8.8:53Requesturlty.coIN AResponseurlty.coIN A172.67.162.208urlty.coIN A104.21.90.242 -
GEThttps://urlty.co/nezYpRemote address:172.67.162.208:443RequestGET /nezYp HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: urlty.co
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Thu, 08 Aug 2024 01:28:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: PHPSESSID=d0s6i3tc49t0r5dsntvquip30i; path=/
set-cookie: short_22831=1; expires=Thu, 08-Aug-2024 01:43:19 GMT; Max-Age=900; path=/; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
pragma: no-cache
location: http://192.210.150.33/88/mssc/wecreatednewentertainmenttounderstandhowperfectyourlovertogetmebackwithenitrethingstogbeworkwithentirenetwork_________sheismygirlwhoilovedtruly.doc
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CadgI4kjAJCiAtns9SKrYq1fR5OvQ%2FecM8HZ0YNRt8uKqoYfVCalsBZ62BQaidad68p3loLM3J3MurUyjXzsGI8tCP9wcUL%2F5F7zkFrBp1JpzaLA6FbzPWR1CQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8afbba977c8c3867-LHR
-
DNSc.pki.googRemote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.131
-
GEThttp://c.pki.goog/r/gsr1.crlRemote address:142.250.179.131:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 08 Aug 2024 00:51:49 GMT
Expires: Thu, 08 Aug 2024 01:41:49 GMT
Cache-Control: public, max-age=3000
Age: 2188
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
GEThttp://c.pki.goog/r/r4.crlRemote address:142.250.179.131:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 08 Aug 2024 00:51:47 GMT
Expires: Thu, 08 Aug 2024 01:41:47 GMT
Cache-Control: public, max-age=3000
Age: 2190
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
DNScrl.microsoft.comRemote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.18.190.71a1363.dscg.akamai.netIN A2.18.190.80
-
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRemote address:2.18.190.71:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
ETag: 0x8DCA14B323B2CC0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: a4477661-c01e-0047-59b2-e33cb1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 08 Aug 2024 01:28:48 GMT
Connection: keep-alive
-
172.67.162.208:443https://urlty.co/nezYptls, http
HTTP Request
GET https://urlty.co/nezYpHTTP Response
301 -
142.250.179.131:80http://c.pki.goog/r/r4.crlhttp
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
192.210.150.33:80
-
192.210.150.33:80
-
2.18.190.71:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200
-
8.8.8.8:53urlty.codns
DNS Request
urlty.co
DNS Response
172.67.162.208104.21.90.242
-
8.8.8.8:53c.pki.googdns
DNS Request
c.pki.goog
DNS Response
142.250.179.131
-
8.8.8.8:53crl.microsoft.comdns
DNS Request
crl.microsoft.com
DNS Response
2.18.190.712.18.190.80
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB