Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Purchase_S...ns.xll

windows7-x64

10

Purchase_S...ns.xll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase_Specifications.xll

  • Size

    89KB

  • MD5

    bd3bc369b662a2a535dc0d2594cd5382

  • SHA1

    4a7fc4e0d97e530c197dee293187b46d3a6545aa

  • SHA256

    6a6694d8f20335031b678ac80057b40fc6b428e9c1eb5c6f013ee8673a3bdec2

  • SHA512

    1f2b27b086650206e5d3d02fd44750d4ab94017a4de310e34134dbcfb48f7afc5b6b0161c05db128b80814156523846e20e4e3e76400c98b8185939006203003

  • SSDEEP

    768:35WNN1P5o3lP+PCp9wDw7/4p8ZrlpDtBUIl3C:35cN3o3lP+PCp9wDherlpfUe

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase_Specifications.xll"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2364

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    frc-azsc-000.roaming.officeapps.live.com
    frc-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    IN A
    52.109.68.129
  • flag-fr
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.68.129:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_250
    X-OfficeVersion: 16.0.18228.30578
    X-OfficeCluster: frc-000.roaming.officeapps.live.com
    X-CorrelationId: d513009d-9b46-4158-9b68-c59091cb6990
    X-Powered-By: ASP.NET
    Date: Tue, 12 Nov 2024 16:01:57 GMT
    Content-Length: 654
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    129.68.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.68.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    129.68.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.68.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    93.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    93.65.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.239.69.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.239.69.13.in-addr.arpa
    IN PTR
    Response
  • 52.109.68.129:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.7kB
     7.7kB
     11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     250 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.68.129

  • 8.8.8.8:53
    97.32.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    74.32.126.40.in-addr.arpa

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    129.68.109.52.in-addr.arpa
    dns
    144 B
     146 B
     2
    1

    DNS Request

    129.68.109.52.in-addr.arpa

    DNS Request

    129.68.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    93.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    93.65.42.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    72.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    72.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    79.239.69.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    79.239.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2364-2-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-3-0x00007FFF69AED000-0x00007FFF69AEE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-4-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-5-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-1-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-8-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-12-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-11-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-10-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-9-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-7-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-6-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-0-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-14-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-13-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-16-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-18-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-17-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-15-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2364-19-0x00007FFF279D0000-0x00007FFF279E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-20-0x00007FFF279D0000-0x00007FFF279E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-30-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.