Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

83baf992a3...14.exe

windows7-x64

8

83baf992a3...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    165s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 06:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe

  • Size

    168KB

  • MD5

    ecc8daa9c96bd99c1419ebeea32b1b67

  • SHA1

    c3f4924a4f5e03f9016381869e9d1b7e35a5d5ec

  • SHA256

    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614

  • SHA512

    cfd64fc43dba20252db55e2f11c107aed10ff3ace8500f7dd679f1ca75d149f39cbd5669fb2dfdb2c7cb9326e000a90800866724057a924174b4c888fadfd60f

  • SSDEEP

    3072:7Lg95BKAUeKMKk4oIOA2CY1Qrz4+JSVwGj9vjjZ4FKtkN6EWwKXWH+/snyJs/xuz:7Lg95tUbk7IOFyrcHVwGJLl4FJN5SmHt

Score
8/10
persistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
      "C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe"
      2⤵
      • Registers COM server for autorun
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4192

Network

  • flag-unknown
    DNS
    promos.fling.com
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    Remote address:
    8.8.8.8:53
    Request
    promos.fling.com
    IN A
    Response
    promos.fling.com
    IN A
    64.210.151.32
  • flag-unknown
    GET
    http://promos.fling.com/geo/txt/city.php
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    Remote address:
    64.210.151.32:80
    Request
    GET /geo/txt/city.php HTTP/1.0
    Host: promos.fling.com
    Connection: close
    Response
    HTTP/1.1 302 Found
    content-length: 0
    location: https://promos.fling.com/geo/txt/city.php
    cache-control: no-cache
    connection: close
  • flag-unknown
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • 93.184.221.240:80
    260 B
     5
  • 93.184.221.240:80
    260 B
     5
  • 64.210.151.32:80
    http://promos.fling.com/geo/txt/city.php
    http
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    307 B
     310 B
     5
    4

    HTTP Request

    GET http://promos.fling.com/geo/txt/city.php

    HTTP Response

    302
  • 184.172.204.122:80
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    104 B
     2
  • 184.172.204.122:80
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    104 B
     2
  • 184.172.204.122:80
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    104 B
     2
  • 184.172.204.122:80
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    104 B
     2
  • 40.79.141.153:443
    322 B
     7
  • 93.184.221.240:80
    260 B
     5
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    260 B
     5
  • 93.184.220.29:80
    322 B
     7
  • 8.8.8.8:53
    promos.fling.com
    dns
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    62 B
     78 B
     1
    1

    DNS Request

    promos.fling.com

    DNS Response

    64.210.151.32

  • 83.133.123.20:53
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    48 B
     1
  • 83.133.123.20:53
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    48 B
     1
  • 83.133.123.20:53
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    48 B
     1
  • 83.133.123.20:53
    83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
    48 B
     1
  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2804-134-0x00000000006F0000-0x00000000006FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4192-132-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4192-133-0x0000000002050000-0x0000000002086000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4192-135-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.