Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 07:52 UTC

General

  • Target

    SYSN ORDER.xls

  • Size

    641KB

  • MD5

    673bd0aa988ca4a1ef05edb3d5b68d60

  • SHA1

    4b7d31c4d6a4cd94e95fdd7c35bca86f6e13ec38

  • SHA256

    9db5ab81cbe373ea471f128ad2fdc98c9eb98c1ff3991046f7ca54823d9a6107

  • SHA512

    0af25507fd68eb9e8a9df4b1a93f6fad31429d0c0d37d326482ace999f5859f18ef3521c7e71146f41afcf45e7bbaf0d1d77543cc8abfb9c38ac2057cca9929c

  • SSDEEP

    12288:GOyBFRSc/ol3o3+io8tM7qgSwaY0c6bde1bmnyqkZH1:GTBShxE+iokM7qgadcgdwmlkZ

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SYSN ORDER.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\System32\mshta.exe
      C:\Windows\System32\mshta.exe -Embedding
      2⤵
      • Process spawned unexpected child process
      PID:3676

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_510
    X-OfficeVersion: 16.0.18122.30576
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    X-CorrelationId: a4912d96-e618-4c0d-b5b6-1131caba3053
    X-Powered-By: ASP.NET
    Date: Mon, 30 Sep 2024 07:52:09 GMT
    Content-Length: 654
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    og1.in
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    og1.in
    IN A
    Response
    og1.in
    IN A
    104.21.78.54
    og1.in
    IN A
    172.67.216.244
  • flag-us
    GET
    https://og1.in/cIP5a8
    EXCEL.EXE
    Remote address:
    104.21.78.54:443
    Request
    GET /cIP5a8 HTTP/2.0
    host: og1.in
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 302
    date: Mon, 30 Sep 2024 07:52:10 GMT
    content-type: text/plain; charset=utf-8
    content-length: 83
    location: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta
    strict-transport-security: max-age=15552000; includeSubDomains
    vary: Accept
    x-content-type-options: nosniff
    x-dns-prefetch-control: off
    x-download-options: noopen
    x-frame-options: SAMEORIGIN
    x-xss-protection: 0
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2Fz4s28v1fGrLipsUDYvilLM0%2Foqq7LAARNQrkrxNsYrbmk3%2FeknXEtH%2FzOWjMU2oeQWOR5MV%2F3Apxq%2Bk%2B87IXBMFsEe67DDT53VrQKtbh6YC9vxl6BF3UU%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8cb2a1c6dbf7cd20-LHR
  • flag-us
    DNS
    c.pki.goog
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    EXCEL.EXE
    Remote address:
    142.250.187.227:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 30 Sep 2024 07:51:20 GMT
    Expires: Mon, 30 Sep 2024 08:41:20 GMT
    Cache-Control: public, max-age=3000
    Age: 49
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    EXCEL.EXE
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 30 Sep 2024 07:50:01 GMT
    Expires: Mon, 30 Sep 2024 08:40:01 GMT
    Cache-Control: public, max-age=3000
    Age: 128
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    54.78.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.78.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.187.250.142.in-addr.arpa
    IN PTR
    Response
    227.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f31e100net
  • flag-us
    GET
    http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta
    EXCEL.EXE
    Remote address:
    172.245.123.6:80
    Request
    GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Connection: Keep-Alive
    Host: 172.245.123.6
    Response
    HTTP/1.1 200 OK
    Date: Mon, 30 Sep 2024 07:52:10 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    Last-Modified: Mon, 30 Sep 2024 01:35:50 GMT
    ETag: "1ceb0-6234c398c9718"
    Accept-Ranges: bytes
    Content-Length: 118448
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/hta
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    6.123.245.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.123.245.172.in-addr.arpa
    IN PTR
    Response
    6.123.245.172.in-addr.arpa
    IN PTR
    172-245-123-6-host colocrossingcom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.73.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    101.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.210.23.2.in-addr.arpa
    IN PTR
    Response
    101.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-101deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.7kB
    7.7kB
    11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 104.21.78.54:443
    https://og1.in/cIP5a8
    tls, http2
    EXCEL.EXE
    1.4kB
    4.6kB
    17
    12

    HTTP Request

    GET https://og1.in/cIP5a8

    HTTP Response

    302
  • 142.250.187.227:80
    http://c.pki.goog/r/r4.crl
    http
    EXCEL.EXE
    556 B
    3.8kB
    7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 172.245.123.6:80
    http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta
    http
    EXCEL.EXE
    4.6kB
    122.3kB
    93
    89

    HTTP Request

    GET http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta

    HTTP Response

    200
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
    244 B
    1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    og1.in
    dns
    EXCEL.EXE
    52 B
    84 B
    1
    1

    DNS Request

    og1.in

    DNS Response

    104.21.78.54
    172.67.216.244

  • 8.8.8.8:53
    c.pki.goog
    dns
    EXCEL.EXE
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    54.78.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    54.78.21.104.in-addr.arpa

  • 8.8.8.8:53
    227.187.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    227.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    6.123.245.172.in-addr.arpa
    dns
    72 B
    121 B
    1
    1

    DNS Request

    6.123.245.172.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    24.73.42.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    24.73.42.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    101.210.23.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    101.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/916-20-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-21-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-2-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-0-0x00007FFF8BD4D000-0x00007FFF8BD4E000-memory.dmp

    Filesize

    4KB

  • memory/916-3-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-6-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-5-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-10-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-9-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-11-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-12-0x00007FFF49C30000-0x00007FFF49C40000-memory.dmp

    Filesize

    64KB

  • memory/916-8-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-7-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-13-0x00007FFF49C30000-0x00007FFF49C40000-memory.dmp

    Filesize

    64KB

  • memory/916-16-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-19-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-4-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-1-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-18-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-17-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-15-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-14-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-84-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-83-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-46-0x00007FFF8BD4D000-0x00007FFF8BD4E000-memory.dmp

    Filesize

    4KB

  • memory/916-47-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-48-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-49-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/916-80-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-81-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/916-82-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

    Filesize

    64KB

  • memory/3676-51-0x00007FF7FE9E0000-0x00007FF7FE9E8000-memory.dmp

    Filesize

    32KB

  • memory/3676-50-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/3676-43-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

  • memory/3676-41-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

    Filesize

    2.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.