Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

d1d0c407e4...a9.exe

windows7-x64

7

d1d0c407e4...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 17:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe

  • Size

    361KB

  • MD5

    33c9a90e00b9aaf7e2786410a6e92288

  • SHA1

    24505621e144d7186e22f3295bf0c40158027037

  • SHA256

    d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9

  • SHA512

    72a029923ddec5a57bb49a4b239bb417fe9d66caaa6f7c80659122741454b01466a46a4edda31ad9185113cf2214c920f589f0657e14f2c3ec708f2359dd1c5c

  • SSDEEP

    1536:5ldTg3KN9+rxmCWP+9URpKxQxk2Y0792HXfo0zW4nfeff6Wr:jdUaN9+rxh9cpKxQxk2Y0792HXfrf7k

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
    "C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe" >> NUL
      2⤵
        PID:3992

    Network

    • flag-unknown
      DNS
      whatismyip.akamai.com
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      Remote address:
      8.8.8.8:53
      Request
      whatismyip.akamai.com
      IN A
      Response
      whatismyip.akamai.com
      IN CNAME
      whatismyip.akamai.com.edgesuite.net
      whatismyip.akamai.com.edgesuite.net
      IN CNAME
      a1524.g.akamai.net
      a1524.g.akamai.net
      IN A
      104.109.143.88
      a1524.g.akamai.net
      IN A
      104.109.143.93
    • flag-unknown
      GET
      http://whatismyip.akamai.com/
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      Remote address:
      104.109.143.88:80
      Request
      GET / HTTP/1.1
      User-Agent: Trololo
      Host: whatismyip.akamai.com
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Content-Length: 12
      Expires: Sat, 03 Dec 2022 23:16:37 GMT
      Cache-Control: max-age=0, no-cache, no-store
      Pragma: no-cache
      Date: Sat, 03 Dec 2022 23:16:37 GMT
      Connection: keep-alive
    • flag-unknown
      DNS
      smtp.yandex.ru
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      Remote address:
      8.8.8.8:53
      Request
      smtp.yandex.ru
      IN A
      Response
      smtp.yandex.ru
      IN A
      77.88.21.158
    • flag-unknown
      DNS
      15.89.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.89.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      DNS
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      IN PTR
      Response
    • 84.53.175.11:80
      322 B
       7
    • 72.21.91.29:80
      322 B
       7
    • 40.126.32.138:443
      260 B
       5
    • 40.126.32.138:443
      260 B
       5
    • 104.109.143.88:80
      http://whatismyip.akamai.com/
      http
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      298 B
       373 B
       5
      3

      HTTP Request

      GET http://whatismyip.akamai.com/

      HTTP Response

      200
    • 77.88.21.158:587
      smtp.yandex.ru
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      260 B
       5
    • 20.189.173.3:443
      322 B
       7
    • 104.80.225.205:443
      322 B
       7
    • 8.8.8.8:53
      whatismyip.akamai.com
      dns
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      67 B
       177 B
       1
      1

      DNS Request

      whatismyip.akamai.com

      DNS Response

      104.109.143.88
      104.109.143.93

    • 8.8.8.8:53
      smtp.yandex.ru
      dns
      d1d0c407e435bb4ad062d1e054e4704b0b0fa9134675a293e07b05b38884c3a9.exe
      60 B
       76 B
       1
      1

      DNS Request

      smtp.yandex.ru

      DNS Response

      77.88.21.158

    • 8.8.8.8:53
      15.89.54.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      15.89.54.20.in-addr.arpa

    • 8.8.8.8:53
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      dns
      118 B
       204 B
       1
      1

      DNS Request

      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5072-132-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/5072-134-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.