Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://admiring-mer...

windows10-2004-x64

1

Resubmissions

19/04/2023, 12:47 UTC

230419-p1aq3acd4z 1

Analysis

  • max time kernel
    13s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2023, 12:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://admiring-merkle.212-193-11-64.plesk.page/rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://admiring-merkle.212-193-11-64.plesk.page/rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4952
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\mj.js"
      2⤵
        PID:1476

    Network

    • flag-us
      DNS
      admiring-merkle.212-193-11-64.plesk.page
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      admiring-merkle.212-193-11-64.plesk.page
      IN A
      Response
      admiring-merkle.212-193-11-64.plesk.page
      IN A
      212.193.11.64
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      assets.msn.com
      Remote address:
      8.8.8.8:53
      Request
      assets.msn.com
      IN A
      Response
      assets.msn.com
      IN CNAME
      assets.msn.com.edgekey.net
      assets.msn.com.edgekey.net
      IN CNAME
      e28578.d.akamaiedge.net
      e28578.d.akamaiedge.net
      IN A
      2.22.245.146
      e28578.d.akamaiedge.net
      IN A
      2.22.245.154
    • flag-es
      GET
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=e0a7d5bd-467f-4e6c-9f5f-97dd5999505a&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      Remote address:
      2.22.245.146:443
      Request
      GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=e0a7d5bd-467f-4e6c-9f5f-97dd5999505a&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
      host: assets.msn.com
      x-search-account: None
      accept-encoding: gzip, deflate
      x-device-machineid: {46CAA714-52CC-4AB9-A019-1AE3E3C36027}
      x-userageclass: Unknown
      x-bm-market: US
      x-bm-dateformat: M/d/yyyy
      x-device-ossku: 48
      x-bm-dtz: 0
      x-deviceid: 0100B2E609000CC3
      x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:129135BB
      sitename: www.msn.com
      x-bm-theme: 000000;0078d7
      muid: D4EAFA4AA86940188882725C6E2EF215
      x-agent-deviceid: 0100B2E609000CC3
      x-bm-onlinesearchdisabled: true
      x-bm-cbt: 1681908441
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      x-device-isoptin: false
      accept-language: en-US, en
      x-device-touch: false
      x-device-clientsession: 4AB4187BE7A04773AB39A364BA0025FE
      cookie: MUID=D4EAFA4AA86940188882725C6E2EF215
      Response
      HTTP/2.0 200
      content-type: application/json; charset=utf-8
      server: Kestrel
      access-control-allow-credentials: true
      access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
      access-control-allow-origin: *.msn.com
      access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      content-encoding: gzip
      ddd-authenticatedwithjwtflow: False
      ddd-usertype: AnonymousMuid
      ddd-tmpl: TeaserTemp_cold:1;lowC:0;TeaserVisibility_cold:1;partialResponse:1;winbadge:1;SevereWeather_cold:1;SportsMatch_all:1;coldStart:1;coldStartUpsell:1;tbn:0;Nowcast_cold:1;WildFire_cold:1;lowT:0
      x-wpo-activityid: 60A0E39A-BE5E-43B0-B3E3-4A5BCA3E62F1|2023-04-19T12:47:25.7032281Z|fabric:/wpo|WEU|WPO_103
      ddd-feednewsitemcount: 0
      ddd-activityid: 60a0e39a-be5e-43b0-b3e3-4a5bca3e62f1
      ddd-strategyexecutionlatency: 00:00:00.1698295
      ddd-debugid: 60a0e39a-be5e-43b0-b3e3-4a5bca3e62f1|2023-04-19T12:47:25.7121162Z|fabric:/winfeed|WEU|WinFeed_445
      onewebservicelatency: 171
      x-msedge-responseinfo: 171
      x-ceto-ref: 643fe2dd34aa4b85ac5fd21f1fc4bbc5|2023-04-19T12:47:25.536Z
      expires: Wed, 19 Apr 2023 12:47:25 GMT
      date: Wed, 19 Apr 2023 12:47:25 GMT
      content-length: 14526
      akamai-request-bc: [a=2.22.245.142,b=249288623,c=g,n=ES_MD_MADRID,o=20940],[a=20.23.114.34,c=o]
      server-timing: clientrtt; dur=31, clienttt; dur=210, origin; dur=210 , cdntime; dur=0
      akamai-cache-status: Miss from child
      akamai-server-ip: 2.22.245.142
      akamai-request-id: edbd7af
      x-as-suppresssetcookie: 1
      cache-control: private, max-age=0
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
      timing-allow-origin: *
      vary: Origin
    • flag-us
      GET
      https://admiring-merkle.212-193-11-64.plesk.page/rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH
      IEXPLORE.EXE
      Remote address:
      212.193.11.64:443
      Request
      GET /rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH HTTP/2.0
      host: admiring-merkle.212-193-11-64.plesk.page
      accept: text/html, application/xhtml+xml, image/jxr, */*
      accept-language: en-US
      user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
      accept-encoding: gzip, deflate
      Response
      HTTP/2.0 200
      server: nginx
      date: Wed, 19 Apr 2023 12:47:26 GMT
      content-type: application/javascript; charset=utf-8
      x-powered-by: PHP/8.0.28
      access-control-allow-origin: *
      access-control-allow-credentials: true
      access-control-allow-methods: GET, PUT, POST, DELETE, OPTIONS
      x-powered-by: PleskLin
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      146.245.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      146.245.22.2.in-addr.arpa
      IN PTR
      Response
      146.245.22.2.in-addr.arpa
      IN PTR
      a2-22-245-146deploystaticakamaitechnologiescom
    • flag-us
      DNS
      67.55.52.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.55.52.23.in-addr.arpa
      IN PTR
      Response
      67.55.52.23.in-addr.arpa
      IN PTR
      a23-52-55-67deploystaticakamaitechnologiescom
    • flag-us
      DNS
      176.25.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      176.25.221.88.in-addr.arpa
      IN PTR
      Response
      176.25.221.88.in-addr.arpa
      IN PTR
      a88-221-25-176deploystaticakamaitechnologiescom
    • flag-us
      DNS
      64.11.193.212.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.11.193.212.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.232.18.117.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.232.18.117.in-addr.arpa
      IN PTR
      Response
    • 2.22.245.146:443
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=e0a7d5bd-467f-4e6c-9f5f-97dd5999505a&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      tls, http2
      3.1kB
       24.3kB
       31
      30

      HTTP Request

      GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=e0a7d5bd-467f-4e6c-9f5f-97dd5999505a&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

      HTTP Response

      200
    • 212.193.11.64:443
      https://admiring-merkle.212-193-11-64.plesk.page/rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH
      tls, http2
      IEXPLORE.EXE
      15.8kB
       442.4kB
       329
      323

      HTTP Request

      GET https://admiring-merkle.212-193-11-64.plesk.page/rex/admin/js/mj.php?ar=b2ZmaWNl&b64e=eTjQeIi&b64u=DKUsOTHK&conf=UITwDQXgTD&call=iRAyApH

      HTTP Response

      200
    • 212.193.11.64:443
      admiring-merkle.212-193-11-64.plesk.page
      tls, http2
      IEXPLORE.EXE
      1.1kB
       5.4kB
       15
      11
    • 52.152.108.96:443
      156 B
       3
    • 8.8.8.8:53
      admiring-merkle.212-193-11-64.plesk.page
      dns
      IEXPLORE.EXE
      86 B
       102 B
       1
      1

      DNS Request

      admiring-merkle.212-193-11-64.plesk.page

      DNS Response

      212.193.11.64

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      assets.msn.com
      dns
      60 B
       166 B
       1
      1

      DNS Request

      assets.msn.com

      DNS Response

      2.22.245.146
      2.22.245.154

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      146.245.22.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      146.245.22.2.in-addr.arpa

    • 8.8.8.8:53
      67.55.52.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      67.55.52.23.in-addr.arpa

    • 8.8.8.8:53
      176.25.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      176.25.221.88.in-addr.arpa

    • 8.8.8.8:53
      64.11.193.212.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      64.11.193.212.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      200.232.18.117.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      200.232.18.117.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\mj.js.yw0bkb6.partial
      Filesize

      412KB

      MD5

      44178a743132d4291ea09cc01d3644bf

      SHA1

      6a5fda983ae7fad169ae24dda921923ff5fd1cf7

      SHA256

      76a36a8ece55cfc36faea08b566b60113f020c02a839347408e9e776f6b343d0

      SHA512

      58772472cf53ad2b598d29676afc507045da89ad8c48e6817baefaad00c75d0d15d3d55c70046c9657e61108ee27f7f073b9ba9a7bac7fa45708de4bdd2e1eb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\mj[1].js
      Filesize

      412KB

      MD5

      44178a743132d4291ea09cc01d3644bf

      SHA1

      6a5fda983ae7fad169ae24dda921923ff5fd1cf7

      SHA256

      76a36a8ece55cfc36faea08b566b60113f020c02a839347408e9e776f6b343d0

      SHA512

      58772472cf53ad2b598d29676afc507045da89ad8c48e6817baefaad00c75d0d15d3d55c70046c9657e61108ee27f7f073b9ba9a7bac7fa45708de4bdd2e1eb9

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.