Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

d4bb6fcd20...be.xls

windows10-2004-x64

1

Resubmissions

20/01/2025, 14:15 UTC

250120-rkxxrstjhp 1

21/11/2024, 08:38 UTC

241121-kjv88azqfs 10

Analysis

  • max time kernel
    92s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 14:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be.xls

  • Size

    1.1MB

  • MD5

    2eb01e0a87e7c2c842bce6d75f34e083

  • SHA1

    df9ae618023a951ebacb254ec51ac1306c87cc73

  • SHA256

    d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be

  • SHA512

    3a3f9649ef09b2b01dbabd2ca1c3291272590bb7ef56899eee58e058242ccb5b498e2e30cf302abc97cc2f6ec1dfe930d15d29a8ed2444108e204519d966735d

  • SSDEEP

    24576:/uq9PLiijE2Z5Z2amC/gY/tMJE8F84LJQohy5bLFqQEbG1jcu:/uEPLiij7Z5ZK0g8tMpFjLJQohy5VqLQ

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4816

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.89.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_1
    X-OfficeVersion: 16.0.18510.30576
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-+DA6ESD9OkjuHi6ICkkO+TK9mLIbj6wMzAqAI+FNoPJRTbEW52rhRRuyo8G8/JAj46ku5k0bgjq9k9x0kOMp1hbz37vj5IRbUm6D2lVDIImlGQz4Dd+OkQLxgjfiS8LVqa3L8i7Q48HEG7RXhtEMEzGYQwBNMY2tU9fgeu2CMw4=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
    X-Frame-Options: Deny
    X-CorrelationId: c54352fb-f32f-40e0-8e6a-387c4142b33a
    X-Powered-By: ASP.NET
    Date: Mon, 20 Jan 2025 14:15:59 GMT
    Content-Length: 654
  • flag-us
    DNS
    provit.uk
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    provit.uk
    IN A
    Response
    provit.uk
    IN A
    198.244.140.41
  • flag-gb
    GET
    https://provit.uk/01acYO?&oven=robust&gray=poised&sourwood=defeated&eyelashes=energetic&study=fanatical&hot
    EXCEL.EXE
    Remote address:
    198.244.140.41:443
    Request
    GET /01acYO?&oven=robust&gray=poised&sourwood=defeated&eyelashes=energetic&study=fanatical&hot HTTP/2.0
    host: provit.uk
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 302
    content-type: text/plain; charset=utf-8
    cross-origin-opener-policy: same-origin
    cross-origin-resource-policy: same-origin
    date: Mon, 20 Jan 2025 14:16:01 GMT
    location: http://107.173.4.61/xampp/mt/generatethebstgoodpeoplesaroundtheworldwithgood.hta
    origin-agent-cluster: ?1
    referrer-policy: no-referrer
    strict-transport-security: max-age=15552000; includeSubDomains
    vary: Accept
    x-content-type-options: nosniff
    x-dns-prefetch-control: off
    x-download-options: noopen
    x-frame-options: SAMEORIGIN
    x-permitted-cross-domain-policies: none
    x-xss-protection: 0
    content-length: 102
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    41.140.244.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.140.244.198.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    r10.o.lencr.org
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    r10.o.lencr.org
    IN A
    Response
    r10.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    2.18.190.203
    a1887.dscq.akamai.net
    IN A
    2.18.190.211
  • flag-gb
    GET
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ9sLnKdzmPvbUGCW0kKrVeag%3D%3D
    EXCEL.EXE
    Remote address:
    2.18.190.203:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ9sLnKdzmPvbUGCW0kKrVeag%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: r10.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "C03545A85D19EBA4A83299365CB912D643CB7928C5083A5F266BB7948A83ABF8"
    Last-Modified: Mon, 20 Jan 2025 07:58:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=21582
    Expires: Mon, 20 Jan 2025 20:15:43 GMT
    Date: Mon, 20 Jan 2025 14:16:01 GMT
    Connection: keep-alive
  • flag-us
    DNS
    128.177.206.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    128.177.206.23.in-addr.arpa
    IN PTR
    Response
    128.177.206.23.in-addr.arpa
    IN PTR
    a23-206-177-128deploystaticakamaitechnologiescom
  • flag-us
    DNS
    203.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.190.18.2.in-addr.arpa
    IN PTR
    Response
    203.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-203deploystaticakamaitechnologiescom
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.73.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.2kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 198.244.140.41:443
    https://provit.uk/01acYO?&oven=robust&gray=poised&sourwood=defeated&eyelashes=energetic&study=fanatical&hot
    tls, http2
    EXCEL.EXE
    1.5kB
     5.0kB
     19
    14

    HTTP Request

    GET https://provit.uk/01acYO?&oven=robust&gray=poised&sourwood=defeated&eyelashes=energetic&study=fanatical&hot

    HTTP Response

    302
  • 2.18.190.203:80
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ9sLnKdzmPvbUGCW0kKrVeag%3D%3D
    http
    EXCEL.EXE
    516 B
     1.1kB
     6
    4

    HTTP Request

    GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ9sLnKdzmPvbUGCW0kKrVeag%3D%3D

    HTTP Response

    200
  • 107.173.4.61:80
    EXCEL.EXE
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    18.89.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    18.89.109.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    provit.uk
    dns
    EXCEL.EXE
    55 B
     71 B
     1
    1

    DNS Request

    provit.uk

    DNS Response

    198.244.140.41

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    41.140.244.198.in-addr.arpa
    dns
    73 B
     128 B
     1
    1

    DNS Request

    41.140.244.198.in-addr.arpa

  • 8.8.8.8:53
    r10.o.lencr.org
    dns
    EXCEL.EXE
    61 B
     160 B
     1
    1

    DNS Request

    r10.o.lencr.org

    DNS Response

    2.18.190.203
    2.18.190.211

  • 8.8.8.8:53
    128.177.206.23.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    128.177.206.23.in-addr.arpa

  • 8.8.8.8:53
    203.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    203.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    27.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    27.73.42.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    671B

    MD5

    727047ec8e43bb8916e027474f5fd477

    SHA1

    8480b48d1bd2bbfde686df6d7ab2d42c0c691008

    SHA256

    6fba0fe64917c79d7d777548a1e53c6c0c8e381e40a2f6a10b6b1caea8848b61

    SHA512

    17735350b83949bdf19b5276c46f2c3d3a5f4f3ab051246340143a117c6577eb6ab4887e7dce88f32736f76f77cd27e0cf5d3ce6f9b56ebde6588d7f57b34c25

    Download Submit

  • memory/4816-14-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-16-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-1-0x00007FFDBCEED000-0x00007FFDBCEEE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4816-2-0x00007FFD7CED0000-0x00007FFD7CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-5-0x00007FFD7CED0000-0x00007FFD7CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-8-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-9-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-7-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-13-0x00007FFD7A6B0000-0x00007FFD7A6C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-0-0x00007FFD7CED0000-0x00007FFD7CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-3-0x00007FFD7CED0000-0x00007FFD7CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-12-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-15-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-17-0x00007FFD7A6B0000-0x00007FFD7A6C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-11-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-10-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-6-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-34-0x00007FFDBCEED000-0x00007FFDBCEEE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4816-35-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-36-0x00007FFDBCE50000-0x00007FFDBD045000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-4-0x00007FFD7CED0000-0x00007FFD7CEE0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.