Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

21e7c7759a...2c.exe

windows7-x64

8

21e7c7759a...2c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    130s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 03:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe

  • Size

    74KB

  • MD5

    c1b46bf9654a5febe9095ce5bb591b39

  • SHA1

    e94124a662f8c492a097cee840c6130ac8539372

  • SHA256

    21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c

  • SHA512

    de23ed4448a3f665a5a52f727000c0a7e5a775a74d20bf60add3019248ac92777d9bed37f4bdd8ce79c150d97c9d3d043fdfed0865dabf72018dc7d54118bbdd

  • SSDEEP

    768:uVOHR6dyI0hkKH07P4XUNoPNnREquHcbbbbxNnREquHcbbbbaw:tCn4ENyNiKbbbbxNiKbbbb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe
    "C:\Users\Admin\AppData\Local\Temp\21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
      "C:\Users\Admin\AppData\Local\Temp\ahyguys.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      PID:940

Network

  • flag-us
    DNS
    icanhazip.com
    ahyguys.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.18.115.97
    icanhazip.com
    IN A
    104.18.114.97
  • flag-us
    GET
    http://icanhazip.com/
    ahyguys.exe
    Remote address:
    104.18.115.97:80
    Request
    GET / HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.35 (KHTML, like Gecko) Chrome/44.0.2455.81 Safari/535.35
    Host: icanhazip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Tue, 04 Oct 2022 06:29:11 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=w.8O1Vf6y1Z.tz2KgaJY3_SISxJVo3Tu3hGFVG35ASw-1664864951-0-AZLh9hlGBj1QWa1Cw19b/Ha2ZtXNypkBdBNxHaAfkKgSslIV/3m8orJaYXNIGRoFYh2Xl9t7+UdxqJgwCMjnkwE=; path=/; expires=Tue, 04-Oct-22 06:59:11 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None
    Server: cloudflare
    CF-RAY: 754bdc985dee0c85-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • 104.18.115.97:80
    http://icanhazip.com/
    http
    ahyguys.exe
    492 B
     1.4kB
     6
    5

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 93.185.4.90:12321
    ahyguys.exe
    104 B
     2
  • 76.84.81.120:443
    ahyguys.exe
    152 B
     3
  • 76.84.81.120:443
    ahyguys.exe
    152 B
     3
  • 76.84.81.120:443
    ahyguys.exe
    152 B
     3
  • 76.84.81.120:443
    ahyguys.exe
    152 B
     3
  • 84.246.161.47:443
    ahyguys.exe
    152 B
     3
  • 84.246.161.47:443
    ahyguys.exe
    152 B
     3
  • 8.8.8.8:53
    icanhazip.com
    dns
    ahyguys.exe
    59 B
     91 B
     1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.18.115.97
    104.18.114.97

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-62-0x0000000000400000-0x00000000004253F0-memory.dmp

    Filesize

    148KB

    Download

  • memory/2032-60-0x00000000003B0000-0x00000000003D6000-memory.dmp

    Filesize

    152KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.