Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 00:17 UTC
Behavioral task
behavioral1
Sample
65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
Resource
win10v2004-20241007-en
General
-
Target
65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls
-
Size
126KB
-
MD5
fda0b9d321be17519d9edc011dc4b0a8
-
SHA1
5c37cf50381e7b02f9ddcde6bc04805a71bce0a8
-
SHA256
65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4
-
SHA512
2e0d49366722a914c379c78157035c1316f8212e92edaec9df57ec100c47f3e3b3e43eff19e0d6a6a749a090fd34843a0b545144f642bd49fd9cf3850f39861c
-
SSDEEP
3072:LsKpbdrHYrMue8q7QPX+5xtekEdi8/dgR3Syz+nzQIceCRlCd:QKpbdrHYrMue8q7QPX+5xtFEdi8/dgR8
Malware Config
Extracted
http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/
http://izytalab.com/includes/1mafAX0kOa/
https://pcsolutionss.com/zSlT4HR92TiOpw5NM/
http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
https://wpl28.realtyna.com/wp-content/0b0ny5cPM/
http://www.efcballjoint.com/Template/AxEZPOfAa9/
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2344 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\65a6a5d6988fe0e1ac5a5bf6e145046f4f074ce1f459786aaac6629ec01891b4.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2344
Network
-
Remote address:8.8.8.8:53Requestmed.devsrm.comIN AResponsemed.devsrm.comIN A143.95.229.88
-
Remote address:143.95.229.88:80RequestGET /wp-content/gtOOTHi3zkUbn8U6/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: med.devsrm.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept,content-type,Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://aleksasphotoblog.de/wp-json/>; rel="https://api.w.org/"
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Content-Encoding: gzip
Keep-Alive: timeout=5, max=75
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestizytalab.comIN AResponse
-
Remote address:8.8.8.8:53Requestpcsolutionss.comIN AResponsepcsolutionss.comIN A204.15.133.228
-
Remote address:204.15.133.228:443RequestGET /zSlT4HR92TiOpw5NM/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: pcsolutionss.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestwww.doctorcasenave.comIN AResponsewww.doctorcasenave.comIN A172.67.203.60www.doctorcasenave.comIN A104.21.44.190
-
Remote address:172.67.203.60:80RequestGET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.doctorcasenave.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NsfV5OA%2B31ffY3vYmF4mudrBZdtTHxkpuuKuunAWaoyrYA5bKxMQBeIqZvkQhPg4TnOI6cBZnunmz6vWsxC0ob%2FK78qqMHxPKlCsq1JLM2bAxJkEVlDmqKnlgAqxLmHxFY8l6jKFk61V"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c7fe6c8533695-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60445&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=349&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:8.8.8.8:53Requestdoctorcasenave.comIN AResponsedoctorcasenave.comIN A172.67.203.60doctorcasenave.comIN A104.21.44.190
-
Remote address:172.67.203.60:80RequestGET /wp-content/O2Z1HMebIXiHYBBS/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: doctorcasenave.com
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://doctorcasenave.com/wp-json/>; rel="https://api.w.org/"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qsYcPvUrMcWy3gQC5RPxBV2tCmrgb9VSHSmPsuj71jWALudVmkbU%2Bcy1q0%2B%2BJHr7lSwFOvjvtFySgol4wV%2FI%2Fis%2BojrP%2B2Yy7ZfT2Dpiaq3TmB2AyfXYELbT3im19n5wTuvO1yQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c7fea2e51ef54-LHR
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60143&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=345&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:8.8.8.8:53Requestwpl28.realtyna.comIN AResponsewpl28.realtyna.comIN A54.173.39.27
-
Remote address:8.8.8.8:53Requestwww.efcballjoint.comIN AResponse
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
Remote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: 7ca9c103-d01e-0016-3fee-2ba13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 21 Nov 2024 00:18:26 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV3b45ffe8.0
ms-cv-esi: CASMicrosoftCV3b45ffe8.0
X-RTag: RT
-
1.4kB 28.7kB 22 24
HTTP Request
GET http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/HTTP Response
404 -
1.2kB 4.8kB 11 9
HTTP Request
GET https://pcsolutionss.com/zSlT4HR92TiOpw5NM/HTTP Response
404 -
625 B 1.1kB 6 4
HTTP Request
GET http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/HTTP Response
301 -
621 B 4.2kB 6 5
HTTP Request
GET http://doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/HTTP Response
404 -
399 B 179 B 5 4
-
361 B 219 B 5 5
-
288 B 219 B 5 5
-
190 B 132 B 4 3
-
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
60 B 76 B 1 1
DNS Request
med.devsrm.com
DNS Response
143.95.229.88
-
58 B 131 B 1 1
DNS Request
izytalab.com
-
62 B 78 B 1 1
DNS Request
pcsolutionss.com
DNS Response
204.15.133.228
-
68 B 100 B 1 1
DNS Request
www.doctorcasenave.com
DNS Response
172.67.203.60104.21.44.190
-
64 B 96 B 1 1
DNS Request
doctorcasenave.com
DNS Response
172.67.203.60104.21.44.190
-
64 B 80 B 1 1
DNS Request
wpl28.realtyna.com
DNS Response
54.173.39.27
-
66 B 139 B 1 1
DNS Request
www.efcballjoint.com
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b