Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

garagula.exe

windows7-x64

1

garagula.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    111s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 12:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    garagula.exe

  • Size

    306KB

  • MD5

    699e657c4fa3284c3c87bdf19fa36cf5

  • SHA1

    fa950f48df0ef532239443b6a290b35cab75fd3a

  • SHA256

    5b3c365cffe1afef52d38aa90267929d0f4f485241d377ee47dadf9eba63ebe9

  • SHA512

    1011c215de0921a53ec720d833e6073be4184134c66e8c30f59db9c6544f1e49cbcb0d6dcda2f88d589bc960fe937175dae0c1001f3bdaf23bf8cc4a32bc4882

  • SSDEEP

    6144:WPLdBmvke5dEtvHVcT6MXUKUNBOA4gygC/jwjrC4a/NF1IPP:oB7pUEnHSgCMG/NF1q

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\garagula.exe
    "C:\Users\Admin\AppData\Local\Temp\garagula.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.121.24.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.121.24.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.125.24.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.125.24.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.238.32.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.238.32.23.in-addr.arpa
    IN PTR
    Response
    113.238.32.23.in-addr.arpa
    IN PTR
    a23-32-238-113deploystaticakamaitechnologiescom
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.141.123.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.141.123.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.203:80
    46 B
     1
  • 45.93.201.114:80
    powershell.exe
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 20.42.73.24:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    134.121.24.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.121.24.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    47.125.24.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    47.125.24.20.in-addr.arpa

  • 8.8.8.8:53
    113.238.32.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    113.238.32.23.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    233.141.123.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    233.141.123.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4ax5fpw.p0x.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/916-144-0x0000000005400000-0x0000000005466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/916-159-0x0000000007080000-0x000000000709A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/916-163-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-162-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-139-0x0000000002340000-0x0000000002376000-memory.dmp

    Filesize

    216KB

    Download

  • memory/916-140-0x0000000004DD0000-0x00000000053F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/916-141-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-142-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-143-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/916-161-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-160-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/916-155-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/916-150-0x00000000055E0000-0x0000000005646000-memory.dmp

    Filesize

    408KB

    Download

  • memory/916-156-0x0000000006E80000-0x0000000006EC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/916-157-0x0000000006FE0000-0x0000000007056000-memory.dmp

    Filesize

    472KB

    Download

  • memory/916-158-0x00000000076E0000-0x0000000007D5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1996-134-0x00000000053B0000-0x0000000005954000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1996-135-0x0000000004EA0000-0x0000000004F32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1996-133-0x0000000000370000-0x00000000003BE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1996-137-0x0000000004E00000-0x0000000004E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1996-136-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.