Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

98638734f8...38.exe

windows7-x64

8

98638734f8...38.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 20:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

  • Size

    856KB

  • MD5

    2ada1261a00752e2f9cc9d866b8be738

  • SHA1

    2b0e9c8ac109e10a7dbdfc0a7153e3faa29da7cf

  • SHA256

    98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38

  • SHA512

    869596be469f57728f882cec261a1120eea83592c9ed5c5a1e26ad8689331d25969ad87c4dc7dfd4d722057280b8f91c9de0c70e0164e85515e214bc0cc2aa7e

  • SSDEEP

    24576:A8cPH6I336DEcYrRvYlbf0BSXR//olL8YepF6zD1ehg:ArfHPcY9vnSB/c4YepSD1l

Score
8/10
persistencespywarestealerupx

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
    "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
      "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
        "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2160
    • C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
      "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2328

Network

  • flag-us
    DNS
    83.208.206.32.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.208.206.32.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    243.11.179.126.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    243.11.179.126.in-addr.arpa
    IN PTR
    Response
    243.11.179.126.in-addr.arpa
    IN PTR
    om12617901124319 openmobilenejp
  • flag-us
    DNS
    115.3.44.62.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    115.3.44.62.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    115.3.44.62.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    115.3.44.62.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.159.140.90.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.159.140.90.in-addr.arpa
    IN PTR
    Response
    8.159.140.90.in-addr.arpa
    IN PTR
    m90-140-159-8custtele2lt
  • flag-us
    DNS
    34.63.104.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    34.63.104.2.in-addr.arpa
    IN PTR
    Response
    34.63.104.2.in-addr.arpa
    IN PTR
    2-104-63-34-cabledkcustomertdcnet
  • flag-us
    DNS
    111.170.3.128.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    111.170.3.128.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    70.50.184.110.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    70.50.184.110.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.55.116.200.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.55.116.200.in-addr.arpa
    IN PTR
    Response
    47.55.116.200.in-addr.arpa
    IN PTR
    cable200-116-55-47epmnetco
  • flag-us
    DNS
    119.167.142.240.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.167.142.240.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    176.72.202.98.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.72.202.98.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.40.249.83.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.40.249.83.in-addr.arpa
    IN PTR
    Response
    1.40.249.83.in-addr.arpa
    IN PTR
    c83-249-40-1bredbandtele2se
  • flag-us
    DNS
    80.33.110.63.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.33.110.63.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    80.33.110.63.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.33.110.63.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    80.33.110.63.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.33.110.63.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    165.61.77.17.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    165.61.77.17.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.208.176.248.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.208.176.248.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    213.84.147.190.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    213.84.147.190.in-addr.arpa
    IN PTR
    Response
    213.84.147.190.in-addr.arpa
    IN PTR
    static-ip-cr19014784213cablenetco
  • flag-us
    DNS
    119.134.77.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.134.77.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    6.229.102.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.229.102.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.218.251.17.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.218.251.17.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    185.208.185.157.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    185.208.185.157.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    176.188.195.136.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.188.195.136.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    179.95.38.1.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    179.95.38.1.in-addr.arpa
    IN PTR
    Response
    179.95.38.1.in-addr.arpa
    IN PTR
    1-38-95-179livevodafonein
  • flag-us
    DNS
    180.98.142.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.98.142.188.in-addr.arpa
    IN PTR
    Response
    180.98.142.188.in-addr.arpa
    IN PTR
    188-142-98-180fixedkpnnet
  • flag-us
    DNS
    19.15.246.159.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.15.246.159.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    235.211.5.36.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.211.5.36.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.39.26.25.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.39.26.25.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    42.219.54.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.219.54.23.in-addr.arpa
    IN PTR
    Response
    42.219.54.23.in-addr.arpa
    IN PTR
    a23-54-219-42deploystaticakamaitechnologiescom
  • flag-us
    DNS
    94.106.63.166.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.106.63.166.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    94.106.63.166.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.106.63.166.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    94.106.63.166.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.106.63.166.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    94.106.63.166.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.106.63.166.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    248.50.151.200.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    248.50.151.200.in-addr.arpa
    IN PTR
    Response
    248.50.151.200.in-addr.arpa
    IN PTR
    200151050248userdialtelemarnetbr
  • flag-us
    DNS
    115.142.253.34.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    115.142.253.34.in-addr.arpa
    IN PTR
    Response
    115.142.253.34.in-addr.arpa
    IN PTR
    ec2-34-253-142-115 eu-west-1compute amazonawscom
  • flag-us
    DNS
    138.219.55.177.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.219.55.177.in-addr.arpa
    IN PTR
    Response
    138.219.55.177.in-addr.arpa
    IN PTR
    138-219-55-177 combolivrenetbr
  • flag-us
    DNS
    101.2.170.135.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.2.170.135.in-addr.arpa
    IN PTR
    Response
    101.2.170.135.in-addr.arpa
    IN PTR
    nothingattdnscom
  • flag-us
    DNS
    198.222.92.55.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.222.92.55.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.202.89.39.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.202.89.39.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    192.236.202.7.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.236.202.7.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.74.37.81.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.74.37.81.in-addr.arpa
    IN PTR
    Response
    50.74.37.81.in-addr.arpa
    IN PTR
    50 red-81-37-74 dynamiciprima-tdenet
  • flag-us
    DNS
    43.105.92.108.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.105.92.108.in-addr.arpa
    IN PTR
    Response
    43.105.92.108.in-addr.arpa
    IN PTR
    108-92-105-43 lightspeedcicril sbcglobalnet
  • 20.189.173.12:443
    322 B
     7
  • 8.8.8.8:53
    83.208.206.32.in-addr.arpa
    dns
    72 B
     149 B
     1
    1

    DNS Request

    83.208.206.32.in-addr.arpa

  • 8.8.8.8:53
    243.11.179.126.in-addr.arpa
    dns
    73 B
     121 B
     1
    1

    DNS Request

    243.11.179.126.in-addr.arpa

  • 8.8.8.8:53
    115.3.44.62.in-addr.arpa
    dns
    140 B
     282 B
     2
    2

    DNS Request

    115.3.44.62.in-addr.arpa

    DNS Request

    115.3.44.62.in-addr.arpa

  • 8.8.8.8:53
    8.159.140.90.in-addr.arpa
    dns
    71 B
     112 B
     1
    1

    DNS Request

    8.159.140.90.in-addr.arpa

  • 8.8.8.8:53
    34.63.104.2.in-addr.arpa
    dns
    70 B
     121 B
     1
    1

    DNS Request

    34.63.104.2.in-addr.arpa

  • 8.8.8.8:53
    111.170.3.128.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    111.170.3.128.in-addr.arpa

  • 8.8.8.8:53
    70.50.184.110.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    70.50.184.110.in-addr.arpa

  • 8.8.8.8:53
    47.55.116.200.in-addr.arpa
    dns
    72 B
     115 B
     1
    1

    DNS Request

    47.55.116.200.in-addr.arpa

  • 8.8.8.8:53
    119.167.142.240.in-addr.arpa
    dns
    74 B
     142 B
     1
    1

    DNS Request

    119.167.142.240.in-addr.arpa

  • 8.8.8.8:53
    176.72.202.98.in-addr.arpa
    dns
    72 B
     135 B
     1
    1

    DNS Request

    176.72.202.98.in-addr.arpa

  • 8.8.8.8:53
    1.40.249.83.in-addr.arpa
    dns
    70 B
     114 B
     1
    1

    DNS Request

    1.40.249.83.in-addr.arpa

  • 8.8.8.8:53
    80.33.110.63.in-addr.arpa
    dns
    213 B
     213 B
     3
    3

    DNS Request

    80.33.110.63.in-addr.arpa

    DNS Request

    80.33.110.63.in-addr.arpa

    DNS Request

    80.33.110.63.in-addr.arpa

  • 8.8.8.8:53
    165.61.77.17.in-addr.arpa
    dns
    71 B
     149 B
     1
    1

    DNS Request

    165.61.77.17.in-addr.arpa

  • 8.8.8.8:53
    98.208.176.248.in-addr.arpa
    dns
    73 B
     141 B
     1
    1

    DNS Request

    98.208.176.248.in-addr.arpa

  • 8.8.8.8:53
    213.84.147.190.in-addr.arpa
    dns
    73 B
     123 B
     1
    1

    DNS Request

    213.84.147.190.in-addr.arpa

  • 8.8.8.8:53
    119.134.77.103.in-addr.arpa
    dns
    73 B
     161 B
     1
    1

    DNS Request

    119.134.77.103.in-addr.arpa

  • 8.8.8.8:53
    6.229.102.51.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    6.229.102.51.in-addr.arpa

  • 8.8.8.8:53
    227.218.251.17.in-addr.arpa
    dns
    73 B
     151 B
     1
    1

    DNS Request

    227.218.251.17.in-addr.arpa

  • 8.8.8.8:53
    185.208.185.157.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    185.208.185.157.in-addr.arpa

  • 8.8.8.8:53
    176.188.195.136.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    176.188.195.136.in-addr.arpa

  • 8.8.8.8:53
    179.95.38.1.in-addr.arpa
    dns
    70 B
     112 B
     1
    1

    DNS Request

    179.95.38.1.in-addr.arpa

  • 8.8.8.8:53
    180.98.142.188.in-addr.arpa
    dns
    73 B
     115 B
     1
    1

    DNS Request

    180.98.142.188.in-addr.arpa

  • 8.8.8.8:53
    19.15.246.159.in-addr.arpa
    dns
    72 B
     72 B
     1
    1

    DNS Request

    19.15.246.159.in-addr.arpa

  • 8.8.8.8:53
    235.211.5.36.in-addr.arpa
    dns
    71 B
     159 B
     1
    1

    DNS Request

    235.211.5.36.in-addr.arpa

  • 8.8.8.8:53
    181.39.26.25.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    181.39.26.25.in-addr.arpa

  • 8.8.8.8:53
    42.219.54.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    42.219.54.23.in-addr.arpa

  • 8.8.8.8:53
    94.106.63.166.in-addr.arpa
    dns
    288 B
     288 B
     4
    4

    DNS Request

    94.106.63.166.in-addr.arpa

    DNS Request

    94.106.63.166.in-addr.arpa

    DNS Request

    94.106.63.166.in-addr.arpa

    DNS Request

    94.106.63.166.in-addr.arpa

  • 8.8.8.8:53
    248.50.151.200.in-addr.arpa
    dns
    73 B
     123 B
     1
    1

    DNS Request

    248.50.151.200.in-addr.arpa

  • 8.8.8.8:53
    115.142.253.34.in-addr.arpa
    dns
    73 B
     137 B
     1
    1

    DNS Request

    115.142.253.34.in-addr.arpa

  • 8.8.8.8:53
    138.219.55.177.in-addr.arpa
    dns
    73 B
     119 B
     1
    1

    DNS Request

    138.219.55.177.in-addr.arpa

  • 8.8.8.8:53
    101.2.170.135.in-addr.arpa
    dns
    72 B
     104 B
     1
    1

    DNS Request

    101.2.170.135.in-addr.arpa

  • 8.8.8.8:53
    198.222.92.55.in-addr.arpa
    dns
    72 B
     72 B
     1
    1

    DNS Request

    198.222.92.55.in-addr.arpa

  • 8.8.8.8:53
    205.202.89.39.in-addr.arpa
    dns
    72 B
     160 B
     1
    1

    DNS Request

    205.202.89.39.in-addr.arpa

  • 8.8.8.8:53
    192.236.202.7.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    192.236.202.7.in-addr.arpa

  • 8.8.8.8:53
    50.74.37.81.in-addr.arpa
    dns
    70 B
     122 B
     1
    1

    DNS Request

    50.74.37.81.in-addr.arpa

  • 8.8.8.8:53
    43.105.92.108.in-addr.arpa
    dns
    72 B
     131 B
     1
    1

    DNS Request

    43.105.92.108.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2160-138-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2328-137-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2892-134-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4368-132-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4368-139-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.