Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

f15de4cae4...08.exe

windows7-x64

7

f15de4cae4...08.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 16:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe

  • Size

    316KB

  • MD5

    020aa7744a4d589cac1f0d412439b6d0

  • SHA1

    ba59fc6931504e47dcd722264e1026c68670e383

  • SHA256

    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908

  • SHA512

    d76e3b744caf60f88e6f08a290ad17a2c2fb94ed53fd20bf8ba61cb2b3ac2fce6149bede7407af53958000356e1c70cf4889e78b17212bbf5261f69336bdb5d7

  • SSDEEP

    6144:erFbUzkuvcBYC47l2xWFAS3r/n2KvN48uFPPDZyMY:er2kuveY3ZF31N4XxZjY

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    "C:\Users\Admin\AppData\Local\Temp\f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe"
    1⤵
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3912

Network

  • flag-unknown
    DNS
    c1.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c1.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    r1.getapplicationmy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    r1.getapplicationmy.info
    IN A
    Response
    r1.getapplicationmy.info
    IN A
    94.229.72.122
  • flag-unknown
    DNS
    c2.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c2.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    c1.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c1.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    c2.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c2.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    c1.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c1.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    c2.downlloaddatamy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    c2.downlloaddatamy.info
    IN A
    Response
  • flag-unknown
    DNS
    r2.getapplicationmy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    r2.getapplicationmy.info
    IN A
    Response
    r2.getapplicationmy.info
    IN A
    94.229.72.122
  • flag-unknown
    POST
    http://r2.getapplicationmy.info/?report_version=5&
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    94.229.72.122:80
    Request
    POST /?report_version=5& HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: TixDll
    Host: r2.getapplicationmy.info
    Content-Length: 1800
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Mon, 21 Nov 2022 16:03:51 GMT
    location: http://survey-smiles.com
    server: nginx
    set-cookie: sid=174ea6a8-69b6-11ed-9ca3-78f9485199c9; path=/; domain=.getapplicationmy.info; expires=Sat, 09 Dec 2090 19:17:58 GMT; max-age=2147483647; HttpOnly
  • flag-unknown
    DNS
    survey-smiles.com
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.222
  • flag-unknown
    GET
    http://survey-smiles.com/
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    Remote address:
    199.59.243.222:80
    Request
    GET / HTTP/1.1
    Accept: */*
    User-Agent: TixDll
    Cache-Control: no-cache
    Host: survey-smiles.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 21 Nov 2022 16:03:51 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=766e7689-bce1-90cb-7df1-4db7337c00fd; expires=Mon, 21-Nov-2022 16:18:51 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TNA+5zAcuC8zFDIUlgADyF1DJLNUMdO2R648/pkg9lhWgcvsI62wu/JHrI4Qs5t09aOJmgUcGqHz7s3DHsuGGg==
    Cache-Control: no-cache
    Accept-CH: sec-ch-prefers-color-scheme
    Critical-CH: sec-ch-prefers-color-scheme
    Vary: sec-ch-prefers-color-scheme
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
  • flag-unknown
    DNS
    164.2.77.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    164.2.77.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 94.229.72.122:80
    r1.getapplicationmy.info
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    260 B
     5
  • 94.229.72.122:80
    http://r2.getapplicationmy.info/?report_version=5&
    http
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    4.3kB
     698 B
     11
    8

    HTTP Request

    POST http://r2.getapplicationmy.info/?report_version=5&

    HTTP Response

    302
  • 199.59.243.222:80
    http://survey-smiles.com/
    http
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    559 B
     2.8kB
     9
    6

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 85.208.136.154:33666
    46 B
     44 B
     1
    1
  • 13.69.239.72:443
    322 B
     7
  • 8.8.8.8:53
    c1.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c1.downlloaddatamy.info

  • 8.8.8.8:53
    r1.getapplicationmy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    70 B
     86 B
     1
    1

    DNS Request

    r1.getapplicationmy.info

    DNS Response

    94.229.72.122

  • 8.8.8.8:53
    c2.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c2.downlloaddatamy.info

  • 8.8.8.8:53
    c1.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c1.downlloaddatamy.info

  • 8.8.8.8:53
    c2.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c2.downlloaddatamy.info

  • 8.8.8.8:53
    c1.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c1.downlloaddatamy.info

  • 8.8.8.8:53
    c2.downlloaddatamy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    69 B
     148 B
     1
    1

    DNS Request

    c2.downlloaddatamy.info

  • 8.8.8.8:53
    r2.getapplicationmy.info
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    70 B
     86 B
     1
    1

    DNS Request

    r2.getapplicationmy.info

    DNS Response

    94.229.72.122

  • 8.8.8.8:53
    survey-smiles.com
    dns
    f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
    63 B
     79 B
     1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.222

  • 8.8.8.8:53
    164.2.77.40.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    164.2.77.40.in-addr.arpa

  • 8.8.8.8:53
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa

  • 8.8.8.8:53
    tls
    72 B
     267 B
     1
    1

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TsuDC436D46.dll
    Filesize

    269KB

    MD5

    af7ce801c8471c5cd19b366333c153c4

    SHA1

    4267749d020a362edbd25434ad65f98b073581f1

    SHA256

    cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

    SHA512

    88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{C15CCA44-8BDB-4935-ABDE-C3F91ABFE8B2}\Custom.dll
    Filesize

    91KB

    MD5

    74187f0d3091d876c86cd59e6d274723

    SHA1

    da269d0d9db1815e599dcd4342eb7664d70c3eb6

    SHA256

    d1e0c357c47d79cc8ba115e7553ffc0825aacc7ef4708fc9f5e71f3fd4d01350

    SHA512

    2ffab239d2efa6423fd08ca1f9b0b76bc6cd65902fd7ca56955b6737a92d4559e21c22c79895f3b02a57a48e6dd75057ff1d76e2e149d28cf808d24465d12e38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{C15CCA44-8BDB-4935-ABDE-C3F91ABFE8B2}\_Setup.dll
    Filesize

    173KB

    MD5

    a6c39fc01edc16a6e57993c823eff346

    SHA1

    7353185a6988dbb095cb45972d93596f306e9a53

    SHA256

    be04588168f4c44d71d197f2777922d72afa11f81d8e9c7badbd61bc7abb2ce5

    SHA512

    65a762ebf88c4d0ada482411a5f0ec7532206c3145e4148c82a7a1989ba682a7805e78025650720e780eaf6541859431471306f699d582077f4b61ff4f2a421e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.