Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18/10/2021, 05:50 UTC
General
-
Target
fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a.exe
-
Size
900KB
-
MD5
22f5d12116ee1c11f3173f977bafc744
-
SHA1
f923b684397cb158ebd77b3d2a8e0365992867db
-
SHA256
fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a
-
SHA512
f628a0a9ebc0aa1c60e8a7bba9433bcf14216be064288aaf253965935d6b8ee310df11a72f559877cbfb3bb2aedb6c710f8d017ef8f36cfc5f71010de433500f
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a.exe"C:\Users\Admin\AppData\Local\Temp\fd4d1fc83330c5cf818e557ef882ca147ba98fee4128fe00bda07c6c2f79050a.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1896 -s 15362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
-
DNSs.lletlee.comRemote address:8.8.8.8:53Requests.lletlee.comIN AResponses.lletlee.comIN A104.21.17.130s.lletlee.comIN A172.67.176.199 -
GEThttps://s.lletlee.com/tmp/aaa_v014.dllRemote address:104.21.17.130:443RequestGET /tmp/aaa_v014.dll HTTP/1.1
User-Agent: HTTPREAD
Host: s.lletlee.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 05:50:39 GMT
Content-Type: application/octet-stream
Content-Length: 1418365
Connection: keep-alive
last-modified: Fri, 15 Oct 2021 08:49:17 GMT
etag: "6169408d-15a47d"
accept-ranges: bytes
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F0ufrO1fOQ457pZtP%2BSao9S6a1TCf6LlMJwHwx0oeXxyZXUFMYdwoT9ctd4h9OVrAlcSkNECfgiMO9QP5NKg8%2F%2BYxq4VbhJu%2Fs1fklTHlb4lS20pMadyYKz1l9yRJB%2Bv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 69ff7d874f1b41c8-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60
viewport-width: 1920
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 05:50:39 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 56
X-Rl: 43
-
DNSts-crl.ws.symantec.comRemote address:8.8.8.8:53Requestts-crl.ws.symantec.comIN AResponsets-crl.ws.symantec.comIN CNAMEcrl-symcprod.digicert.comcrl-symcprod.digicert.comIN CNAMEcs9.wac.phicdn.netcs9.wac.phicdn.netIN A72.21.91.29
-
GEThttp://ts-crl.ws.symantec.com/sha256-tss-ca.crlRemote address:72.21.91.29:80RequestGET /sha256-tss-ca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ts-crl.ws.symantec.com
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 2731
Cache-Control: public, max-age=3600
Content-Type: application/pkix-crl
Date: Mon, 18 Oct 2021 05:51:03 GMT
Last-Modified: Mon, 18 Oct 2021 05:05:32 GMT
Server: ECS (bsa/EB1D)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 502
-
DNStime.windows.comRemote address:8.8.8.8:53Requesttime.windows.comIN AResponsetime.windows.comIN CNAMEtime.microsoft.akadns.nettime.microsoft.akadns.netIN A20.101.57.9
-
2.16.119.157:443 -
104.21.17.130:443https://s.lletlee.com/tmp/aaa_v014.dlltls, http
HTTP Request
GET https://s.lletlee.com/tmp/aaa_v014.dllHTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
72.21.91.29:80http://ts-crl.ws.symantec.com/sha256-tss-ca.crlhttp
HTTP Request
GET http://ts-crl.ws.symantec.com/sha256-tss-ca.crlHTTP Response
200
-
8.8.8.8:53s.lletlee.comdns
DNS Request
s.lletlee.com
DNS Response
104.21.17.130172.67.176.199
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53ts-crl.ws.symantec.comdns
DNS Request
ts-crl.ws.symantec.com
DNS Response
72.21.91.29
-
8.8.8.8:53time.windows.comdns
DNS Request
time.windows.com
DNS Response
20.101.57.9
-
20.101.57.9:123time.windows.comntp
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
-
Filesize
1.4MB