Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

Complaint-...21.xls

windows7-x64

10

Complaint-...21.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Complaint-1139434699-02182021.xls

  • Size

    142KB

  • MD5

    f481599cb80b79ff1624d8095d60ad37

  • SHA1

    5f1f728c01113112866324abb15da0375749d0bf

  • SHA256

    ee05c4ea463797ea4c65e8875bfcf74402644db1abbd120ce65edcf22d915846

  • SHA512

    6297243b29fbb746e0e790aee6d2505dfd385d703d3d10af580a1fb07b0f5b74fefba8742d150236554139429d8bfde7d2a8a55b1bff94b8fab8bb8c65423145

  • SSDEEP

    3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/d:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOM0

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://rzminc.com/xklyulyijvn/45564985382060200000.dat
xlm40.dropper

http://pathinanchilearthmovers.com/eznwcdhx/45564985382060200000.dat
xlm40.dropper

http://jugueterialatorre.com.ar/xjzpfwc/45564985382060200000.dat
xlm40.dropper

http://rzminc.com/fdzgprclatqo/45564985382060200000.dat
xlm40.dropper

http://biblicalisraeltours.com/otmchxmxeg/45564985382060200000.dat

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Complaint-1139434699-02182021.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\JDFR.hdfgr,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:4364
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\JDFR.hdfgr1,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:4740
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\JDFR.hdfgr2,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:2284
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\JDFR.hdfgr3,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:1376
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\JDFR.hdfgr4,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    2KB

    MD5

    c99984c4420b9fe9c7b28170767c3505

    SHA1

    8b4ef836137a9d632ba93f69b95c71de9bc5a26b

    SHA256

    c899c8af62c8edb82f29e265ef0b13d45006198c531a0f9a03e375b82a680abd

    SHA512

    795394c6279605a87f1145bf9171ed9d9274b89c92960078a2ca80803b8c0b5c1fcaeb76586d940693444ab83314217605f0a693e4e9267f65f0c58b715b31c3

    Download Submit

  • memory/4724-16-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-7-0x00007FFB88450000-0x00007FFB88460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-3-0x00007FFB88450000-0x00007FFB88460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-5-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-4-0x00007FFB88450000-0x00007FFB88460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-6-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-1-0x00007FFBC846D000-0x00007FFBC846E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4724-8-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-9-0x00007FFB863F0000-0x00007FFB86400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-10-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-2-0x00007FFB88450000-0x00007FFB88460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-11-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-14-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-18-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-19-0x00007FFB863F0000-0x00007FFB86400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4724-15-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-17-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-13-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-12-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-29-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-30-0x00007FFBC846D000-0x00007FFBC846E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4724-31-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-32-0x00007FFBC83D0000-0x00007FFBC85C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4724-0-0x00007FFB88450000-0x00007FFB88460000-memory.dmp

    Filesize

    64KB

    Download