Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0x00030000...le.exe

windows7-x64

1

0x00030000...le.exe

windows10-2004-x64

1

0x00030000...mp.exe

windows7-x64

1

0x00030000...mp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    274s
  • max time network
    277s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2023, 09:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x0003000000000733-166/temp.exe

  • Size

    15KB

  • MD5

    41ccf51b3a24d3e1c6c9af8b0757022f

  • SHA1

    acfc57baadd14e910d0b8da2064ed3252c7a5ae4

  • SHA256

    c91ff88ac8b096bd1a10929dd500eb7bc53622a070cd7fc1b1d541eab2d16630

  • SHA512

    3c873540ff416d7ea4b7c6b7adf225d990c3a0eb968da42f9bca385cce60986561163967ae1587f129ca60762f76b6038dc13846eb9ec28d4ad516302fe2d0e3

  • SSDEEP

    384:6FLOnmzHEiSRVtE464nnnnn1zmijBnnndITSPtp57:6ximzHDku46Omz2

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1344
    • \??\c:\windows\System32\wermgr.exe
      c:\windows\System32\wermgr.exe
      2⤵
        PID:1980

    Network

    • flag-us
      DNS
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      wermgr.exe
      Remote address:
      8.8.8.8:53
      Request
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      IN A
      Response
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      IN CNAME
      star-azurefd-prod.trafficmanager.net
      star-azurefd-prod.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      IN CNAME
      part-0020.t-0009.fdv2-t-msedge.net
      part-0020.t-0009.fdv2-t-msedge.net
      IN A
      13.107.237.48
      part-0020.t-0009.fdv2-t-msedge.net
      IN A
      13.107.238.48
    • flag-us
      GET
      https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC
      wermgr.exe
      Remote address:
      13.107.237.48:443
      Request
      GET /z4lC HTTP/1.1
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Host: home-hsf2czcghwhjg7fh.z01.azurefd.net
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Content-Length: 296011
      Content-Type: application/octet-stream
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0aV5bZAAAAADURf6iZs93S6rXWpZOW4jiQU1TMDRFREdFMTgxNQAwODYzNGVlNi1iY2VkLTQ1MDktODkxNy02MDNhNjE0Y2Q5YTY=
      Date: Wed, 10 May 2023 09:05:45 GMT
    • flag-us
      DNS
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      wermgr.exe
      Remote address:
      8.8.8.8:53
      Request
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      IN A
      Response
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      IN CNAME
      star-azurefd-prod.trafficmanager.net
      star-azurefd-prod.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0040.t-0009.fdv2-t-msedge.net
      shed.dual-low.part-0040.t-0009.fdv2-t-msedge.net
      IN CNAME
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      IN CNAME
      part-0040.t-0009.fb-t-msedge.net
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.253.68
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.226.68
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 80
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0bF5bZAAAAACViyzCKzexQ54Neb/NjiQ+RlJBMjMxMDUwNDE3MDUxAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:05:49 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0nF5bZAAAAABdhLG3bUhXSpXEm4eNejjiRlJBMjMxMDUwNDE5MDMzAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:06:36 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 64
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0zV5bZAAAAABj90uaIDmTRJw2eoH9V+hlRlJBMjMxMDUwNDIwMDUxAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:07:25 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 64
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0AF9bZAAAAAC2bxIJ0JoHRYmbNJ4NST51TE9OMjEyMDUwNzE4MDMzAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:08:17 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 80
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0NV9bZAAAAABGwKtR8a3eS5O9qSxorj/4RlJBMjMxMDUwNDE4MDMxAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:09:10 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eTVW1hPVHGMA7VpSPaOwc-D2bqjpISJezTEs992NnSG971N6832IcfXP3lUrzMMb-OYzPBhfcqxRCnS_5IXC5Eg7HSsXcTAwp7V8S1W7A17qXAJe4AFUT0XT6GvGr8weHg1DIS5-sDQQf6Z3VNEXH6xQU_R548nR-trm9HFXrl_8
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0Zl9bZAAAAAAA1glteKsESov6U0vBaeyCUEFSMjAxMDMxMDExMDQ3AGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:09:59 GMT
    • 13.107.237.48:443
      https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC
      tls, http
      wermgr.exe
      6.9kB
       315.5kB
       135
      260

      HTTP Request

      GET https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.4kB
       8.1kB
       9
      14

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       8.0kB
       9
      14

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       8.0kB
       9
      14

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       8.0kB
       9
      14

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       8.0kB
       9
      13

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       8.0kB
       9
      13

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 8.8.8.8:53
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      dns
      wermgr.exe
      83 B
       235 B
       1
      1

      DNS Request

      home-hsf2czcghwhjg7fh.z01.azurefd.net

      DNS Response

      13.107.237.48
      13.107.238.48

    • 8.8.8.8:53
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      dns
      wermgr.exe
      84 B
       349 B
       1
      1

      DNS Request

      tasks-h8h4grdydtasfjck.z01.azurefd.net

      DNS Response

      13.107.253.68
      13.107.226.68

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      b5fcc55cffd66f38d548e8b63206c5e6

      SHA1

      79db08ababfa33a4f644fa8fe337195b5aba44c7

      SHA256

      7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

      SHA512

      aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

      Download Submit

    • memory/1344-54-0x000000013FC50000-0x000000013FC58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1980-97-0x0000000003140000-0x0000000003278000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1980-119-0x0000000002D40000-0x0000000002E41000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1980-141-0x0000000000430000-0x0000000000432000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-142-0x0000000002D40000-0x0000000002E41000-memory.dmp

      Filesize

      1.0MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.