Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 07:52 UTC
Static task
static1
Behavioral task
behavioral1
Sample
SYSN ORDER.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SYSN ORDER.xls
Resource
win10v2004-20240802-en
General
-
Target
SYSN ORDER.xls
-
Size
641KB
-
MD5
673bd0aa988ca4a1ef05edb3d5b68d60
-
SHA1
4b7d31c4d6a4cd94e95fdd7c35bca86f6e13ec38
-
SHA256
9db5ab81cbe373ea471f128ad2fdc98c9eb98c1ff3991046f7ca54823d9a6107
-
SHA512
0af25507fd68eb9e8a9df4b1a93f6fad31429d0c0d37d326482ace999f5859f18ef3521c7e71146f41afcf45e7bbaf0d1d77543cc8abfb9c38ac2057cca9929c
-
SSDEEP
12288:GOyBFRSc/ol3o3+io8tM7qgSwaY0c6bde1bmnyqkZH1:GTBShxE+iokM7qgadcgdwmlkZ
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3676 916 mshta.exe 81 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 916 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE 916 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 916 wrote to memory of 3676 916 EXCEL.EXE 86 PID 916 wrote to memory of 3676 916 EXCEL.EXE 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SYSN ORDER.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta.exe -Embedding2⤵
- Process spawned unexpected child process
PID:3676
-
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestroaming.officeapps.live.comIN AResponseroaming.officeapps.live.comIN CNAMEprod.roaming1.live.com.akadns.netprod.roaming1.live.com.akadns.netIN CNAMEeur.roaming1.live.com.akadns.neteur.roaming1.live.com.akadns.netIN CNAMEuks-azsc-000.roaming.officeapps.live.comuks-azsc-000.roaming.officeapps.live.comIN CNAMEosiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.comosiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.comIN A52.109.28.47
-
Remote address:52.109.28.47:443RequestPOST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_510
X-OfficeVersion: 16.0.18122.30576
X-OfficeCluster: uks-000.roaming.officeapps.live.com
X-CorrelationId: a4912d96-e618-4c0d-b5b6-1131caba3053
X-Powered-By: ASP.NET
Date: Mon, 30 Sep 2024 07:52:09 GMT
Content-Length: 654
-
Remote address:8.8.8.8:53Request47.28.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestog1.inIN AResponseog1.inIN A104.21.78.54og1.inIN A172.67.216.244
-
Remote address:104.21.78.54:443RequestGET /cIP5a8 HTTP/2.0
host: og1.in
accept: */*
ua-cpu: AMD64
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
ResponseHTTP/2.0 302
content-type: text/plain; charset=utf-8
content-length: 83
location: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta
strict-transport-security: max-age=15552000; includeSubDomains
vary: Accept
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 0
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2Fz4s28v1fGrLipsUDYvilLM0%2Foqq7LAARNQrkrxNsYrbmk3%2FeknXEtH%2FzOWjMU2oeQWOR5MV%2F3Apxq%2Bk%2B87IXBMFsEe67DDT53VrQKtbh6YC9vxl6BF3UU%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8cb2a1c6dbf7cd20-LHR
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.187.227
-
Remote address:142.250.187.227:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 30 Sep 2024 07:51:20 GMT
Expires: Mon, 30 Sep 2024 08:41:20 GMT
Cache-Control: public, max-age=3000
Age: 49
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.187.227:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Mon, 30 Sep 2024 07:50:01 GMT
Expires: Mon, 30 Sep 2024 08:40:01 GMT
Cache-Control: public, max-age=3000
Age: 128
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request54.78.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request227.187.250.142.in-addr.arpaIN PTRResponse227.187.250.142.in-addr.arpaIN PTRlhr25s34-in-f31e100net
-
Remote address:172.245.123.6:80RequestGET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: 172.245.123.6
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Mon, 30 Sep 2024 01:35:50 GMT
ETag: "1ceb0-6234c398c9718"
Accept-Ranges: bytes
Content-Length: 118448
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/hta
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request6.123.245.172.in-addr.arpaIN PTRResponse6.123.245.172.in-addr.arpaIN PTR172-245-123-6-hostcolocrossingcom
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.73.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.210.23.2.in-addr.arpaIN PTRResponse101.210.23.2.in-addr.arpaIN PTRa2-23-210-101deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
1.7kB 7.7kB 11 10
HTTP Request
POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svcHTTP Response
200 -
1.4kB 4.6kB 17 12
HTTP Request
GET https://og1.in/cIP5a8HTTP Response
302 -
556 B 3.8kB 7 5
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
4.6kB 122.3kB 93 89
HTTP Request
GET http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaHTTP Response
200
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 244 B 1 1
DNS Request
roaming.officeapps.live.com
DNS Response
52.109.28.47
-
71 B 145 B 1 1
DNS Request
47.28.109.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
52 B 84 B 1 1
DNS Request
og1.in
DNS Response
104.21.78.54172.67.216.244
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.187.227
-
71 B 133 B 1 1
DNS Request
54.78.21.104.in-addr.arpa
-
74 B 112 B 1 1
DNS Request
227.187.250.142.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
72 B 121 B 1 1
DNS Request
6.123.245.172.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
24.73.42.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
101.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa