Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

750af99d7e...1b.xls

windows7-x64

3

750af99d7e...1b.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 21:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    750af99d7e32b373a0ea0a9eabbddec20980687542f8e95e22fc9a3f0f832c1b.xls

  • Size

    181KB

  • MD5

    b3427b8b5250687f10c139f15ee2194e

  • SHA1

    9a5515de022838f225588d29d5043298d2fec8e4

  • SHA256

    750af99d7e32b373a0ea0a9eabbddec20980687542f8e95e22fc9a3f0f832c1b

  • SHA512

    a1dfccab7254607ce4e415781cdb454617f2cf229685b6559cc3c22d28a79ea711c8b87e657a9040a0a86c8599e83d2050ddc033ab2e9ffeaaeb9c11b433a616

  • SSDEEP

    3072:Epk3hbdlylKsgqopeJBWhZFGkE+cdPUZKaAV+YcIM6/+uF9KCOs+hMvlfynb5afc:Sk3hbdlylKsgqopeJBWhZFVE+UPUZKaC

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\750af99d7e32b373a0ea0a9eabbddec20980687542f8e95e22fc9a3f0f832c1b.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3168

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    frc-azsc-000.roaming.officeapps.live.com
    frc-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    IN A
    52.109.68.129
  • flag-fr
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.68.129:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_491
    X-OfficeVersion: 16.0.18122.30576
    X-OfficeCluster: frc-000.roaming.officeapps.live.com
    X-CorrelationId: 11ecc1eb-8f0b-4d9a-b776-df38729f3f98
    X-Powered-By: ASP.NET
    Date: Tue, 01 Oct 2024 21:36:09 GMT
    Content-Length: 654
  • flag-us
    DNS
    46.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    129.68.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.68.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • 52.109.68.129:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.9kB
     7.7kB
     12
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     250 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.68.129

  • 8.8.8.8:53
    46.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    46.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    129.68.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    129.68.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    23.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3168-2-0x00007FFE2EC30000-0x00007FFE2EC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-3-0x00007FFE6EC4D000-0x00007FFE6EC4E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3168-0-0x00007FFE2EC30000-0x00007FFE2EC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-1-0x00007FFE2EC30000-0x00007FFE2EC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-7-0x00007FFE2EC30000-0x00007FFE2EC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-6-0x00007FFE2EC30000-0x00007FFE2EC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-8-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-10-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-11-0x00007FFE2CBA0000-0x00007FFE2CBB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-9-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-5-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-12-0x00007FFE2CBA0000-0x00007FFE2CBB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3168-4-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-16-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-20-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-19-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-18-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-17-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-15-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-14-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-13-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3168-30-0x00007FFE6EBB0000-0x00007FFE6EDA5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.