Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Fatura 002.xlam

windows7-x64

8

Fatura 002.xlam

windows10-2004-x64

1

Resubmissions

01/10/2024, 06:09 UTC

241001-gwwtqsycna 8

01/10/2024, 06:06 UTC

241001-gtr3rsybqa 8

Analysis

  • max time kernel
    100s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 06:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fatura 002.xlam

  • Size

    690KB

  • MD5

    404eec23afb533475c11493f7d367ec0

  • SHA1

    844ba233d3ba4ecc44596bc78f90eecffd0286de

  • SHA256

    eab869eef3b586266919e8d303d196beeb0f22d3f3cbc7b1f521a7e67acd4cf5

  • SHA512

    a44c6f824fee4dde24a37d9671bea3f621e734d05e3617cd29d7de7a350642868a03d054c9f30c989b73369b28cda661bc239d91356c054f34ab2fbdf998af4e

  • SSDEEP

    12288:FyeyA+762GP2WtqK6PkE9AbE6zFNmeS1DZ5RRvb55dwdlnu3vAb9oFTEYhQ/mqG:FyRr702PVQEaFNmeYDZ5RRvEkAb9ITAQ

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Fatura 002.xlam"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2124

Network

  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_151
    X-OfficeVersion: 16.0.18122.30576
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    X-CorrelationId: b6ba9019-fe45-41e2-bc0f-e95bb335bb91
    X-Powered-By: ASP.NET
    Date: Tue, 01 Oct 2024 06:06:15 GMT
    Content-Length: 654
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.73.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.9kB
     7.8kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 52.111.229.48:443
    322 B
     7
  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    26.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    26.73.42.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    6cee509e847b148cb7870cbed44ee033

    SHA1

    70b65ed461e82eda3069310e005958cce0f13ac4

    SHA256

    a4795b6d99750a1d141dc131db2ad1334dede6829c33218f7183656680a98b2a

    SHA512

    71b51c2a63d8eb7a22d1c669da01f48e4d4973311c75f3741cd56d6ac29dddb382757629cc750570ba36534e91efc3756a4b979193b97b59031043ce79f3ab6f

    Download Submit

  • memory/2124-15-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-52-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-3-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-0-0x00007FFC61D6D000-0x00007FFC61D6E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-1-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-6-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-9-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-10-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-11-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-12-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-8-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-18-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-2-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-14-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-13-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-17-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-16-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-7-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-29-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-28-0x00007FFC61D6D000-0x00007FFC61D6E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-30-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2124-4-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-54-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-53-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-5-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-55-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2124-56-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.