Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7ee53cd553...d9.exe

windows7_x64

10

7ee53cd553...d9.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    19/07/2020, 03:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe

  • Size

    100KB

  • MD5

    3695dce408bb68d79005f1a04ed12092

  • SHA1

    3f277ae5ff32dbe09a924f1b0c5772f72c701271

  • SHA256

    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9

  • SHA512

    e11680cf9d3205e12aace84b5a1ad4d9470fec4fac39237448ecbda57c358581374106e35bc82ec5ef797660185e5dd3ea85304008c73edadeed7be1739c3a45

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    "C:\Users\Admin\AppData\Local\Temp\7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:3264

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/BoYAy/LUDzGNY/TrucN58ZGf8IwMtr/Pvm7GzHFaEhf7cUtHPF/
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /BoYAy/LUDzGNY/TrucN58ZGf8IwMtr/Pvm7GzHFaEhf7cUtHPF/ HTTP/1.1
    Referer: http://177.144.130.105/BoYAy/LUDzGNY/TrucN58ZGf8IwMtr/Pvm7GzHFaEhf7cUtHPF/
    Content-Type: multipart/form-data; boundary=---------------------------228309096666693
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 177.144.130.105:443
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://77.74.78.80:443/RMjLBfEq8tbr9D/
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    Remote address:
    77.74.78.80:443
    Request
    POST /RMjLBfEq8tbr9D/ HTTP/1.1
    Referer: http://77.74.78.80/RMjLBfEq8tbr9D/
    Content-Type: multipart/form-data; boundary=---------------------------360935488899657
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 77.74.78.80:443
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jul 2020 03:34:02 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.130.105:443
    http://177.144.130.105:443/BoYAy/LUDzGNY/TrucN58ZGf8IwMtr/Pvm7GzHFaEhf7cUtHPF/
    http
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    5.4kB
     252 B
     9
    6

    HTTP Request

    POST http://177.144.130.105:443/BoYAy/LUDzGNY/TrucN58ZGf8IwMtr/Pvm7GzHFaEhf7cUtHPF/
  • 198.27.69.201:8080
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    156 B
     120 B
     3
    3
  • 157.7.164.178:8081
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    156 B
     120 B
     3
    3
  • 78.188.170.128:80
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    156 B
     3
  • 203.153.216.178:7080
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    156 B
     120 B
     3
    3
  • 77.74.78.80:443
    http://77.74.78.80:443/RMjLBfEq8tbr9D/
    http
    7ee53cd553219d5bfca5d5d371b7ec6e979428c4c9fc805a8338218f65a9a1d9.exe
    5.4kB
     660 B
     10
    9

    HTTP Request

    POST http://77.74.78.80:443/RMjLBfEq8tbr9D/

    HTTP Response

    200
  • 239.255.255.250:1900
    330 B
     2
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    288 B
     3
  • 10.10.0.22:137
    netbios-ns
    270 B
     3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3264-0-0x00000000009E0000-0x00000000009EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3264-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.