Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

d1d0c407e4...a9.exe

windows7-x64

7

d1d0c407e4...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    75s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 17:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe

  • Size

    361KB

  • MD5

    33c9a90e00b9aaf7e2786410a6e92288

  • SHA1

    24505621e144d7186e22f3295bf0c40158027037

  • SHA256

    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9

  • SHA512

    72a029923ddec5a57bb49a4b239bb417fe9d66caaa6f7c80659122741454b01466a46a4edda31ad9185113cf2214c920f589f0657e14f2c3ec708f2359dd1c5c

  • SSDEEP

    1536:5ldTg3KN9+rxmCWP+9URpKxQxk2Y0792HXfo0zW4nfeff6Wr:jdUaN9+rxh9cpKxQxk2Y0792HXfrf7k

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    "C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe" >> NUL
      2⤵
      • Deletes itself
      PID:2044

Network

  • flag-unknown
    DNS
    whatismyip.akamai.com
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyip.akamai.com
    IN A
    Response
    whatismyip.akamai.com
    IN CNAME
    whatismyip.akamai.com.edgesuite.net
    whatismyip.akamai.com.edgesuite.net
    IN CNAME
    a1524.g.akamai.net
    a1524.g.akamai.net
    IN A
    104.109.143.93
    a1524.g.akamai.net
    IN A
    104.109.143.88
  • flag-unknown
    GET
    http://whatismyip.akamai.com/
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    Remote address:
    104.109.143.93:80
    Request
    GET / HTTP/1.1
    User-Agent: Trololo
    Host: whatismyip.akamai.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 12
    Expires: Sat, 03 Dec 2022 23:17:21 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Sat, 03 Dec 2022 23:17:21 GMT
    Connection: keep-alive
  • flag-unknown
    DNS
    smtp.yandex.ru
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.yandex.ru
    IN A
    Response
    smtp.yandex.ru
    IN A
    77.88.21.158
  • 104.109.143.93:80
    http://whatismyip.akamai.com/
    http
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    304 B
     654 B
     5
    4

    HTTP Request

    GET http://whatismyip.akamai.com/

    HTTP Response

    200
  • 77.88.21.158:587
    smtp.yandex.ru
    smtp-submission
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    295 B
     754 B
     6
    7
  • 8.8.8.8:53
    whatismyip.akamai.com
    dns
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    67 B
     177 B
     1
    1

    DNS Request

    whatismyip.akamai.com

    DNS Response

    104.109.143.93
    104.109.143.88

  • 8.8.8.8:53
    smtp.yandex.ru
    dns
    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    60 B
     76 B
     1
    1

    DNS Request

    smtp.yandex.ru

    DNS Response

    77.88.21.158

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1096-54-0x0000000075991000-0x0000000075993000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-55-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1096-56-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1096-58-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.