Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    07/07/2020, 06:24 UTC

General

  • Target

    b1843967b94d29f088ec35143ad94e6e.exe

  • Size

    412KB

  • MD5

    b1843967b94d29f088ec35143ad94e6e

  • SHA1

    013aa99862c45afe518018a4ca5d8b230f94d0da

  • SHA256

    12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960

  • SHA512

    1c3a083b48cc8329cee05aa3ac24aadee65e21626f965623fee8fc7779ecdaaeb7096cb7744712a3fccb4a1c9e6231c7b61fd0541e4eb4131a33d1cf14f09ad5

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Checks for installed software on the system 1 TTPs 30 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe
    "C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Checks for installed software on the system
    PID:1400

Network

  • flag-unknown
    DNS
    tikkirikki.space
    Remote address:
    8.8.8.8:53
    Request
    tikkirikki.space
    IN A
    Response
    tikkirikki.space
    IN A
    172.67.221.174
    tikkirikki.space
    IN A
    104.18.58.9
    tikkirikki.space
    IN A
    104.18.59.9
  • flag-unknown
    GET
    https://tikkirikki.space/api.php
    b1843967b94d29f088ec35143ad94e6e.exe
    Remote address:
    172.67.221.174:443
    Request
    GET /api.php HTTP/1.1
    Host: tikkirikki.space
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 07 Jul 2020 06:24:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: __cfduid=dc2e4099f9c7df2b9c0f543d618d7d6b01594103071; expires=Thu, 06-Aug-20 06:24:31 GMT; path=/; domain=.tikkirikki.space; HttpOnly; SameSite=Lax; Secure
    Strict-Transport-Security: max-age=31536000; preload
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    cf-request-id: 03c98b999d0000fa20ac050200000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 5aef7ba29ef5fa20-AMS
  • flag-unknown
    POST
    https://tikkirikki.space/index.php
    b1843967b94d29f088ec35143ad94e6e.exe
    Remote address:
    172.67.221.174:443
    Request
    POST /index.php HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accepts-Language: en-us,en;q=0.5
    Content-Type: multipart/form-data; boundary=-------------------------8d8224f1e77ddd0
    Host: tikkirikki.space
    Content-Length: 502972
    Expect: 100-continue
    Response
    HTTP/1.1 100 Continue
  • flag-unknown
    DNS
    b1843967b94d29f088ec35143ad94e6e.exe
    Remote address:
    172.67.221.174:443
    Response
    HTTP/1.1 200 OK
    Date: Tue, 07 Jul 2020 06:24:38 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: __cfduid=da687390bc5d514460f5ad7c5d513680e1594103078; expires=Thu, 06-Aug-20 06:24:38 GMT; path=/; domain=.tikkirikki.space; HttpOnly; SameSite=Lax; Secure
    Strict-Transport-Security: max-age=31536000; preload
    Vary: Accept-Encoding
    CF-Cache-Status: DYNAMIC
    cf-request-id: 03c98bb5cf0000fa20ac133200000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 5aef7bcfb9a3fa20-AMS
  • 172.67.221.174:443
    https://tikkirikki.space/index.php
    tls, http
    b1843967b94d29f088ec35143ad94e6e.exe
    519.9kB
    14.7kB
    373
    196

    HTTP Request

    GET https://tikkirikki.space/api.php

    HTTP Response

    200

    HTTP Request

    POST https://tikkirikki.space/index.php

    HTTP Response

    100

    HTTP Response

    200
  • 10.7.0.255:137
    netbios-ns
    390 B
    5
  • 224.0.0.252:5355
    100 B
    2
  • 8.8.8.8:53
    tikkirikki.space
    dns
    62 B
    110 B
    1
    1

    DNS Request

    tikkirikki.space

    DNS Response

    172.67.221.174
    104.18.58.9
    104.18.59.9

  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.