Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 06:43 UTC
Static task
static1
Behavioral task
behavioral1
Sample
83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Resource
win10v2004-20220812-en
General
-
Target
83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
-
Size
168KB
-
MD5
ecc8daa9c96bd99c1419ebeea32b1b67
-
SHA1
c3f4924a4f5e03f9016381869e9d1b7e35a5d5ec
-
SHA256
83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614
-
SHA512
cfd64fc43dba20252db55e2f11c107aed10ff3ace8500f7dd679f1ca75d149f39cbd5669fb2dfdb2c7cb9326e000a90800866724057a924174b4c888fadfd60f
-
SSDEEP
3072:7Lg95BKAUeKMKk4oIOA2CY1Qrz4+JSVwGj9vjjZ4FKtkN6EWwKXWH+/snyJs/xuz:7Lg95tUbk7IOFyrcHVwGJLl4FJN5SmHt
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8dceb85e-8508-ee5b-cccc-98a6b145e6ef}\\n." 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8dceb85e-8508-ee5b-cccc-98a6b145e6ef}\\n." 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\clsid 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Token: SeDebugPrivilege 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe Token: SeDebugPrivilege 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2804 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 37 PID 4192 wrote to memory of 2804 4192 83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe"C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe"2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
-
Network
-
Remote address:8.8.8.8:53Requestpromos.fling.comIN AResponsepromos.fling.comIN A64.210.151.32
-
GEThttp://promos.fling.com/geo/txt/city.php83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exeRemote address:64.210.151.32:80RequestGET /geo/txt/city.php HTTP/1.0
Host: promos.fling.com
Connection: close
ResponseHTTP/1.1 302 Found
location: https://promos.fling.com/geo/txt/city.php
cache-control: no-cache
connection: close
-
Remote address:8.8.8.8:53Request97.97.242.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
64.210.151.32:80http://promos.fling.com/geo/txt/city.phphttp83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe307 B 310 B 5 4
HTTP Request
GET http://promos.fling.com/geo/txt/city.phpHTTP Response
302 -
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
322 B 7
-
260 B 5
-
322 B 7
-
260 B 5
-
322 B 7
-
8.8.8.8:53promos.fling.comdns83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe62 B 78 B 1 1
DNS Request
promos.fling.com
DNS Response
64.210.151.32
-
48 B 1
-
48 B 1
-
48 B 1
-
48 B 1
-
71 B 145 B 1 1
DNS Request
97.97.242.52.in-addr.arpa