Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

22/09/2022, 17:12 UTC

220922-vq3lzsfgek 10

19/09/2022, 07:28 UTC

220919-jas7tsacak 10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2022, 17:12 UTC

General

  • Target

    f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe

  • Size

    159KB

  • MD5

    95749d6bae439efc267962c9bc3cb2d6

  • SHA1

    236763d6a739c9a68350c5e9775ea8723de2a916

  • SHA256

    f464ed5d98af0625c6c4678b916aa465f47a938e1cf4ad3bf5a95d129f8fb5f9

  • SHA512

    3ee8697c54d69b837f0f81979edde35049904d677a849cfcd943d45d2615581cc18e78318e8d5d35e75273d732d6e06545edca7a4000222c766b4d8789a95fc6

  • SSDEEP

    3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

gg.gemkan.online/gate.php

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
    "C:\Users\Admin\AppData\Local\Temp\f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe"
    1⤵
      PID:1348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1376
        2⤵
        • Program crash
        PID:3228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1348 -ip 1348
      1⤵
        PID:2092

      Network

      • flag-us
        DNS
        gg.gemkan.online
        Remote address:
        8.8.8.8:53
        Request
        gg.gemkan.online
        IN A
        Response
        gg.gemkan.online
        IN A
        203.175.9.27
      • flag-id
        GET
        http://gg.gemkan.online/gate.php
        f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
        Remote address:
        203.175.9.27:80
        Request
        GET /gate.php HTTP/1.1
        Host: gg.gemkan.online
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 302 Found
        Date: Thu, 22 Sep 2022 17:12:55 GMT
        Server: Apache
        Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
        Content-Length: 233
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/html; charset=iso-8859-1
      • flag-id
        GET
        http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
        f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
        Remote address:
        203.175.9.27:80
        Request
        GET /cgi-sys/suspendedpage.cgi HTTP/1.1
        Host: gg.gemkan.online
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Date: Thu, 22 Sep 2022 17:12:55 GMT
        Server: Apache
        Vary: Accept-Encoding
        Keep-Alive: timeout=5, max=99
        Connection: Keep-Alive
        Transfer-Encoding: chunked
        Content-Type: text/html
      • flag-id
        GET
        http://gg.gemkan.online/request
        f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
        Remote address:
        203.175.9.27:80
        Request
        GET /request HTTP/1.1
        Host: gg.gemkan.online
        Cache-Control: no-cache
        Response
        HTTP/1.1 302 Found
        Date: Thu, 22 Sep 2022 17:12:56 GMT
        Server: Apache
        Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
        Content-Length: 233
        Content-Type: text/html; charset=iso-8859-1
      • flag-id
        GET
        http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
        f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
        Remote address:
        203.175.9.27:80
        Request
        GET /cgi-sys/suspendedpage.cgi HTTP/1.1
        Host: gg.gemkan.online
        Cache-Control: no-cache
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Thu, 22 Sep 2022 17:12:56 GMT
        Server: Apache
        Vary: Accept-Encoding
        Keep-Alive: timeout=5, max=97
        Connection: Keep-Alive
        Transfer-Encoding: chunked
        Content-Type: text/html
      • 203.175.9.27:80
        http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
        http
        f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
        1.1kB
        2.1kB
        15
        13

        HTTP Request

        GET http://gg.gemkan.online/gate.php

        HTTP Response

        302

        HTTP Request

        GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgi

        HTTP Response

        200

        HTTP Request

        GET http://gg.gemkan.online/request

        HTTP Response

        302

        HTTP Request

        GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgi

        HTTP Response

        200
      • 8.8.8.8:53
        gg.gemkan.online
        dns
        62 B
        78 B
        1
        1

        DNS Request

        gg.gemkan.online

        DNS Response

        203.175.9.27

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1348-132-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/1348-133-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.