Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

baa38e1a42...01.exe

windows7-x64

8

baa38e1a42...01.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    183s
  • max time network
    212s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 10:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe

  • Size

    96KB

  • MD5

    4be1ac9452947d3000daca209972d3cc

  • SHA1

    595d3d653581f70b02c9510d76d4b7a70df73e10

  • SHA256

    baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01

  • SHA512

    2b11d8a798e988aa910d25bbebf55f251f354e659d9a5f4d505dffd9e21f7582c7ca2163fb2971a056fa958a67dc6710382a986348161939cc3a11e37138e0f0

  • SSDEEP

    1536:S2dX/KGcry9vASJJ2DbxN4j+s+Ci5d5lIE1ppxRp9bDEvLlIAA31cviZi/:d/V2yVHsQjN+Ci9l5Zp5SIAA3LZi/

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
    "C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
      C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Users\Admin\AppData\Roaming\taskhost.exe
        C:\Users\Admin\AppData\Roaming\taskhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Users\Admin\AppData\Roaming\taskhost.exe
          C:\Users\Admin\AppData\Roaming\taskhost.exe
          4⤵
          • Executes dropped EXE
          • Modifies system certificate store
          PID:676

Network

  • flag-unknown
    DNS
    northwa.net
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    northwa.net
    IN A
    Response
  • flag-unknown
    DNS
    zeqsmmiwj3d.com
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    zeqsmmiwj3d.com
    IN A
    Response
    zeqsmmiwj3d.com
    IN A
    188.114.97.0
    zeqsmmiwj3d.com
    IN A
    188.114.96.0
  • flag-unknown
    GET
    http://zeqsmmiwj3d.com/791/119.html
    taskhost.exe
    Remote address:
    188.114.96.0:80
    Request
    GET /791/119.html HTTP/1.1
    From: 133145600026644000
    Via: goqjiuq^uiv@777bcrhe@7^serdq=3bovA6451aoe|A9dg87:4766:;73;c<g45e2<h3i62e=19
    Host: zeqsmmiwj3d.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 03 Dec 2022 15:54:31 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 03 Dec 2022 16:54:31 GMT
    Location: https://zeqsmmiwj3d.com/791/119.html
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HlZhwi9ht8LIfMbCiZ2%2BBKkmTRCCMLin306YSq319OGBSQnjoqdkpZ4wLaXwi3JqXiuc8gkatr6T82MmacRGqkrFi1DAfzE%2B4nkYhjtE5FFdp3Yswa9YNtgwaXItc3CJL2c%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 773d7b3b09fe1c81-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-unknown
    DNS
    apps.identrust.com
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    104.109.143.91
    a1952.dscq.akamai.net
    IN A
    104.109.143.75
  • flag-unknown
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    taskhost.exe
    Remote address:
    104.109.143.91:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
    ETag: "37d-5e1e6e25c9800"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Sat, 03 Dec 2022 16:54:50 GMT
    Date: Sat, 03 Dec 2022 15:54:50 GMT
    Connection: keep-alive
  • flag-unknown
    DNS
    x2.c.lencr.org
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    23.2.164.159
  • flag-unknown
    DNS
    e1.o.lencr.org
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    e1.o.lencr.org
    IN A
    Response
    e1.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    104.109.143.71
    a1887.dscq.akamai.net
    IN A
    104.109.143.99
  • flag-unknown
    DNS
    sewjdnmm93.com
    taskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    sewjdnmm93.com
    IN A
    Response
  • flag-unknown
    GET
    http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgP7I%2FtYgcAxCN7nP%2BkNbNv0LQ%3D%3D
    taskhost.exe
    Remote address:
    104.109.143.99:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgP7I%2FtYgcAxCN7nP%2BkNbNv0LQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: e1.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 344
    ETag: "F0E4A4AC55D26F505EA7FE78607E67E69A2517CE1C54AD84784712356D8C31DD"
    Last-Modified: Thu, 01 Dec 2022 13:00:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=4904
    Expires: Sat, 03 Dec 2022 17:17:12 GMT
    Date: Sat, 03 Dec 2022 15:55:28 GMT
    Connection: keep-alive
  • 188.114.97.0:80
    zeqsmmiwj3d.com
    taskhost.exe
    152 B
     3
  • 188.114.96.0:80
    http://zeqsmmiwj3d.com/791/119.html
    http
    taskhost.exe
    375 B
     1.5kB
     4
    4

    HTTP Request

    GET http://zeqsmmiwj3d.com/791/119.html

    HTTP Response

    301
  • 188.114.96.0:443
    zeqsmmiwj3d.com
    tls
    taskhost.exe
    396 B
     172 B
     5
    4
  • 188.114.96.0:443
    zeqsmmiwj3d.com
    tls
    taskhost.exe
    774 B
     5.1kB
     11
    11
  • 104.109.143.91:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    taskhost.exe
    323 B
     1.6kB
     4
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 23.2.164.159:80
    x2.c.lencr.org
    taskhost.exe
    152 B
     3
  • 104.109.143.71:80
    e1.o.lencr.org
    taskhost.exe
    152 B
     3
  • 104.109.143.99:80
    http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgP7I%2FtYgcAxCN7nP%2BkNbNv0LQ%3D%3D
    http
    taskhost.exe
    430 B
     1.6kB
     4
    4

    HTTP Request

    GET http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgP7I%2FtYgcAxCN7nP%2BkNbNv0LQ%3D%3D

    HTTP Response

    200
  • 8.8.8.8:53
    northwa.net
    dns
    taskhost.exe
    57 B
     130 B
     1
    1

    DNS Request

    northwa.net

  • 8.8.8.8:53
    zeqsmmiwj3d.com
    dns
    taskhost.exe
    61 B
     93 B
     1
    1

    DNS Request

    zeqsmmiwj3d.com

    DNS Response

    188.114.97.0
    188.114.96.0

  • 8.8.8.8:53
    apps.identrust.com
    dns
    taskhost.exe
    64 B
     165 B
     1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    104.109.143.91
    104.109.143.75

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    taskhost.exe
    60 B
     165 B
     1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    23.2.164.159

  • 8.8.8.8:53
    e1.o.lencr.org
    dns
    taskhost.exe
    60 B
     159 B
     1
    1

    DNS Request

    e1.o.lencr.org

    DNS Response

    104.109.143.71
    104.109.143.99

  • 8.8.8.8:53
    sewjdnmm93.com
    dns
    taskhost.exe
    60 B
     133 B
     1
    1

    DNS Request

    sewjdnmm93.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\taskhost.exe
    Filesize

    96KB

    MD5

    413eb4df6fca058373d2e07edabb1ef2

    SHA1

    71d23bf40422d8b0815d87f4e5f99f47c3912334

    SHA256

    1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

    SHA512

    981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhost.exe
    Filesize

    96KB

    MD5

    413eb4df6fca058373d2e07edabb1ef2

    SHA1

    71d23bf40422d8b0815d87f4e5f99f47c3912334

    SHA256

    1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

    SHA512

    981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\taskhost.exe
    Filesize

    96KB

    MD5

    413eb4df6fca058373d2e07edabb1ef2

    SHA1

    71d23bf40422d8b0815d87f4e5f99f47c3912334

    SHA256

    1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

    SHA512

    981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

    Download Submit

  • \Users\Admin\AppData\Roaming\taskhost.exe
    Filesize

    96KB

    MD5

    413eb4df6fca058373d2e07edabb1ef2

    SHA1

    71d23bf40422d8b0815d87f4e5f99f47c3912334

    SHA256

    1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

    SHA512

    981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

    Download Submit

  • \Users\Admin\AppData\Roaming\taskhost.exe
    Filesize

    96KB

    MD5

    413eb4df6fca058373d2e07edabb1ef2

    SHA1

    71d23bf40422d8b0815d87f4e5f99f47c3912334

    SHA256

    1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

    SHA512

    981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

    Download Submit

  • memory/676-75-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/676-74-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/676-68-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1988-54-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1988-60-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1988-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1988-72-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1988-56-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.