Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 11:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
RFQ # PC25-1301_1.xlsx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RFQ # PC25-1301_1.xlsx
Resource
win10v2004-20241007-en
General
-
Target
RFQ # PC25-1301_1.xlsx
-
Size
1.8MB
-
MD5
d3f593571da9b55237a49f9c23a12d9a
-
SHA1
b3c9a6ca51802326e7de5a6854199fc369bc3b08
-
SHA256
ff07908a590dec7673c510ec4d0043d8825a54039e35b7c28c299f95c55336c3
-
SHA512
114950c12cc9fd0aa50544caed8fa0f710cc596c67ec90d3b5d2e1a72c18b5706b25ef3030949805be0e90bab31d6010fe6b0d1ab090e0651b0254482e113df8
-
SSDEEP
49152:OwVliPFnflCwADoUpbmepmSTKrks1l4FWQCMsx7/:Ow4dflKxpaepmS2rksiWQJsx7/
Malware Config
Extracted
formbook
4.1
hwu6
lf758.vip
locerin-hair.shop
vytech.net
pet-insurance-intl-7990489.live
thepolithat.buzz
d66dr114gl.bond
suv-deals-49508.bond
job-offer-53922.bond
drstone1.click
lebahsemesta57.click
olmanihousel.shop
piedmontcsb.info
trisula888x.top
66sodovna.net
dental-implants-83810.bond
imxtld.club
frozenpines.net
ffgzgbl.xyz
tlc7z.rest
alexismuller.design
6vay.boats
moocatinght.top
hafwje.bond
edmaker.online
simo1simo001.click
vbsdconsultant.click
ux-design-courses-53497.bond
victory88-pay.xyz
suarahati7.xyz
otzen.info
hair-transplantation-65829.bond
gequiltdesins.shop
inefity.cloud
jeeinsight.online
86339.xyz
stairr-lift-find.today
wdgb20.top
91uvq.pro
energyecosystem.app
8e5lr5i9zu.buzz
migraine-treatment-36101.bond
eternityzon.shop
43mjqdyetv.sbs
healthcare-software-74448.bond
bethlark.top
dangdut4dselalu.pro
04506.club
rider.vision
health-insurance-cake.world
apoppynote.com
11817e.com
hiefmotelkeokuk.top
sugatoken.xyz
aragamand.business
alifewithoutlimits.info
vibrantsoul.xyz
olarpanels-outlet.info
ozzd86fih4.online
skbdicat.xyz
cloggedpipes.net
ilsgroup.net
ptcnl.info
backstretch.store
maheshg.xyz
7b5846.online
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2740-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2652-21-0x00000000000B0000-0x00000000000DF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2836 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2704 word.exe -
Loads dropped DLL 1 IoCs
pid Process 2836 EQNEDT32.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0009000000016db3-6.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2704 set thread context of 2740 2704 word.exe 32 PID 2740 set thread context of 1232 2740 svchost.exe 21 PID 2740 set thread context of 1232 2740 svchost.exe 21 PID 2652 set thread context of 1232 2652 msiexec.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2836 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe 2652 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2704 word.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2652 msiexec.exe 2652 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2740 svchost.exe Token: SeDebugPrivilege 2652 msiexec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2704 word.exe 2704 word.exe 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2704 word.exe 2704 word.exe 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3020 EXCEL.EXE 3020 EXCEL.EXE 3020 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2704 2836 EQNEDT32.EXE 31 PID 2836 wrote to memory of 2704 2836 EQNEDT32.EXE 31 PID 2836 wrote to memory of 2704 2836 EQNEDT32.EXE 31 PID 2836 wrote to memory of 2704 2836 EQNEDT32.EXE 31 PID 2704 wrote to memory of 2740 2704 word.exe 32 PID 2704 wrote to memory of 2740 2704 word.exe 32 PID 2704 wrote to memory of 2740 2704 word.exe 32 PID 2704 wrote to memory of 2740 2704 word.exe 32 PID 2704 wrote to memory of 2740 2704 word.exe 32 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2740 wrote to memory of 2652 2740 svchost.exe 33 PID 2652 wrote to memory of 2556 2652 msiexec.exe 34 PID 2652 wrote to memory of 2556 2652 msiexec.exe 34 PID 2652 wrote to memory of 2556 2652 msiexec.exe 34 PID 2652 wrote to memory of 2556 2652 msiexec.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ # PC25-1301_1.xlsx"2⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\word.exeC:\Users\Admin\AppData\Roaming\word.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\svchost.exeC:\Users\Admin\AppData\Roaming\word.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestcombo.s3.eu-north-1.amazonaws.comIN AResponsecombo.s3.eu-north-1.amazonaws.comIN CNAMEs3-r-w.eu-north-1.amazonaws.coms3-r-w.eu-north-1.amazonaws.comIN A3.5.217.48s3-r-w.eu-north-1.amazonaws.comIN A16.12.11.46
-
Remote address:3.5.217.48:80RequestGET /arkobral2.1.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: combo.s3.eu-north-1.amazonaws.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
x-amz-request-id: XEZMQ2PGYQ9CMRJ3
Date: Thu, 16 Jan 2025 11:47:07 GMT
Last-Modified: Thu, 16 Jan 2025 06:34:07 GMT
ETag: "a4c3a8129428b0447fbe11d005d1e04b"
x-amz-server-side-encryption: AES256
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Content-Length: 1795072
Server: AmazonS3
-
Remote address:8.8.8.8:53Requestwww.aragamand.businessIN AResponsewww.aragamand.businessIN A172.67.151.125www.aragamand.businessIN A104.21.0.245
-
Remote address:8.8.8.8:53Requestwww.aragamand.businessIN A
-
Remote address:8.8.8.8:53Requestwww.aragamand.businessIN A
-
GEThttp://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0Explorer.EXERemote address:172.67.151.125:80RequestGET /hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0 HTTP/1.1
Host: www.aragamand.business
Connection: close
-
Remote address:8.8.8.8:53Requestwww.lebahsemesta57.clickIN AResponsewww.lebahsemesta57.clickIN CNAMElebahsemesta57.clicklebahsemesta57.clickIN A198.252.111.49
-
GEThttp://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0Explorer.EXERemote address:198.252.111.49:80RequestGET /hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0 HTTP/1.1
Host: www.lebahsemesta57.click
Connection: close
ResponseHTTP/1.1 404 Not Found
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
content-type: text/html
content-length: 796
date: Thu, 16 Jan 2025 11:48:23 GMT
server: LiteSpeed
-
Remote address:8.8.8.8:53Requestwww.olmanihousel.shopIN AResponsewww.olmanihousel.shopIN CNAMEshops.myshopify.comshops.myshopify.comIN A23.227.38.74
-
GEThttp://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0Explorer.EXERemote address:23.227.38.74:80RequestGET /hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0 HTTP/1.1
Host: www.olmanihousel.shop
Connection: close
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4517
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: max-age=15
Expires: Thu, 16 Jan 2025 11:48:59 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n73iEfnczrI5np0UUfhWv98b9h5k7mB92JFPy79KwOEZfLQbY6Uao5vqGo7sX5NNKRPtapYugU1CvAoObblu%2BdgisWHHtuAAd7wiyZjHclx1GrzGFZShwNIbjVIB7BLk5DBw2Ct71w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Server-Timing: cfRequestDuration;dur=42.000055
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Download-Options: noopen
Server: cloudflare
CF-RAY: 902de0d0aca2cd35-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestwww.7b5846.onlineIN AResponsewww.7b5846.onlineIN A104.21.40.196www.7b5846.onlineIN A172.67.188.70
-
GEThttp://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0Explorer.EXERemote address:104.21.40.196:80RequestGET /hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0 HTTP/1.1
Host: www.7b5846.online
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 12:49:04 GMT
Location: https://7b5846.live
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BPEPuJ75g2Fqp%2BukC0FqJY5oSzKX3CrFl84Ll1AkR0xN6B9d3wbp7aglwbqK9fACEIUjro%2Bz0TTNrflgc4%2FfUFlC1xqX4Vq8EacdOgsSE7BHIEYKSEjtQUjRSyd3rW7blCulmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902de14fa938652d-LHR
-
Remote address:8.8.8.8:53Requestwww.skbdicat.xyzIN AResponse
-
58.8kB 1.9MB 1023 1390
HTTP Request
GET http://combo.s3.eu-north-1.amazonaws.com/arkobral2.1.exeHTTP Response
200 -
172.67.151.125:80http://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0httpExplorer.EXE860 B 196 B 8 4
HTTP Request
GET http://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0 -
198.252.111.49:80http://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0httpExplorer.EXE398 B 1.2kB 5 5
HTTP Request
GET http://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0HTTP Response
404 -
23.227.38.74:80http://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0httpExplorer.EXE487 B 5.7kB 7 8
HTTP Request
GET http://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0HTTP Response
403 -
104.21.40.196:80http://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0httpExplorer.EXE391 B 996 B 5 5
HTTP Request
GET http://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0HTTP Response
301
-
79 B 132 B 1 1
DNS Request
combo.s3.eu-north-1.amazonaws.com
DNS Response
3.5.217.4816.12.11.46
-
204 B 100 B 3 1
DNS Request
www.aragamand.business
DNS Request
www.aragamand.business
DNS Request
www.aragamand.business
DNS Response
172.67.151.125104.21.0.245
-
70 B 100 B 1 1
DNS Request
www.lebahsemesta57.click
DNS Response
198.252.111.49
-
67 B 116 B 1 1
DNS Request
www.olmanihousel.shop
DNS Response
23.227.38.74
-
63 B 95 B 1 1
DNS Request
www.7b5846.online
DNS Response
104.21.40.196172.67.188.70
-
62 B 62 B 1 1
DNS Request
www.skbdicat.xyz
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5a4c3a8129428b0447fbe11d005d1e04b
SHA1003981a4a1fae8444bf94214045da837e9b545ad
SHA256daab245fae21bc5fe9a8ea52e9770b22d12e66a4fbfc1bc1ca027f200da20f2f
SHA5122c5d40db81eeab537eb1ab0ec8dbc1fd78f15969fbf4ec0d5ad2ae24f55aa2948f0bbd3dfbf7ef6444a7da5b1aa7b2584a4c86bc5322d3d647ca3da9ffe0003a