Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

9a1710f89e7d7c_JC.exe

windows7-x64

7

9a1710f89e7d7c_JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2023, 17:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a1710f89e7d7c_JC.exe

  • Size

    94KB

  • MD5

    9a1710f89e7d7cccc76591e856d9eaee

  • SHA1

    b2b14a4b9961b92e9523c3e7f0043730714d1675

  • SHA256

    4fd1858a55836f2d0eee3af8f76c28650de635fb351a6a9ca451c406add96320

  • SHA512

    f8d48829e40462f0d2a75278a8262ec555eff0fb03e86a3c528133526351bc64f78a7b94ad96d1abb67cc20f5e57c435a09b6d301855df786e9b4bcfc505529d

  • SSDEEP

    1536:ZzFbxmLPWQMOtEvwDpj386Sj/Rs580giz6SJ0U/WJpq8n:ZVxkGOtEvwDpjct

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a1710f89e7d7c_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\9a1710f89e7d7c_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system certificate store
      PID:3152

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.3.197.209.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.3.197.209.in-addr.arpa
    IN PTR
    Response
    8.3.197.209.in-addr.arpa
    IN PTR
    vip0x008map2sslhwcdnnet
  • flag-us
    DNS
    bestccc.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    bestccc.com
    IN A
    Response
    bestccc.com
    IN A
    103.14.121.240
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-in
    GET
    https://bestccc.com/hr/ho2.exe
    misid.exe
    Remote address:
    103.14.121.240:443
    Request
    GET /hr/ho2.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: bestccc.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 17 Jul 2023 17:00:22 GMT
    Server: Apache/2
    Content-Length: 315
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    155.245.36.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.245.36.23.in-addr.arpa
    IN PTR
    Response
    155.245.36.23.in-addr.arpa
    IN PTR
    a23-36-245-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.121.14.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.121.14.103.in-addr.arpa
    IN PTR
    Response
    240.121.14.103.in-addr.arpa
    IN PTR
    10314121240-static-reversegooddomainregistrycom
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    101.15.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.15.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    crl.comodoca.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.comodoca.com
    IN A
    Response
    crl.comodoca.com
    IN CNAME
    crl.comodoca.com.cdn.cloudflare.net
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.14.101
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.15.101
  • flag-us
    GET
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    misid.exe
    Remote address:
    104.18.14.101:80
    Request
    GET /cPanelIncCertificationAuthority.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.comodoca.com
    Response
    HTTP/1.1 200 OK
    Date: Mon, 17 Jul 2023 17:00:40 GMT
    Content-Type: application/pkix-crl
    Content-Length: 57705
    Connection: keep-alive
    Last-Modified: Mon, 17 Jul 2023 14:17:57 GMT
    ETag: "64b54d95-e169"
    X-CCACDN-Mirror-ID: mscrl2
    Cache-Control: max-age=14400, s-maxage=3600
    Expires: Mon, 24 Jul 2023 14:17:57 GMT
    X-CCACDN-Proxy-ID: mcdpinlb6
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: HIT
    Age: 2639
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 7e840ae0ee3a0e87-AMS
  • flag-us
    DNS
    101.14.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.14.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.177.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.177.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.77.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.77.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 103.14.121.240:443
    https://bestccc.com/hr/ho2.exe
    tls, http
    misid.exe
    1.1kB
     5.8kB
     13
    9

    HTTP Request

    GET https://bestccc.com/hr/ho2.exe

    HTTP Response

    404
  • 104.18.14.101:80
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    http
    misid.exe
    1.3kB
     60.0kB
     26
    45

    HTTP Request

    GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    8.3.197.209.in-addr.arpa
    dns
    70 B
     111 B
     1
    1

    DNS Request

    8.3.197.209.in-addr.arpa

  • 8.8.8.8:53
    bestccc.com
    dns
    misid.exe
    57 B
     73 B
     1
    1

    DNS Request

    bestccc.com

    DNS Response

    103.14.121.240

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    155.245.36.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    155.245.36.23.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    240.121.14.103.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.121.14.103.in-addr.arpa

  • 8.8.8.8:53
    54.120.234.20.in-addr.arpa
    dns
    360 B
     5

    DNS Request

    54.120.234.20.in-addr.arpa

    DNS Request

    54.120.234.20.in-addr.arpa

    DNS Request

    54.120.234.20.in-addr.arpa

    DNS Request

    54.120.234.20.in-addr.arpa

    DNS Request

    54.120.234.20.in-addr.arpa

  • 8.8.8.8:53
    101.15.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    101.15.18.104.in-addr.arpa

  • 8.8.8.8:53
    crl.comodoca.com
    dns
    misid.exe
    62 B
     143 B
     1
    1

    DNS Request

    crl.comodoca.com

    DNS Response

    104.18.14.101
    104.18.15.101

  • 8.8.8.8:53
    101.14.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    101.14.18.104.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    126.177.238.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    126.177.238.8.in-addr.arpa

  • 8.8.8.8:53
    0.77.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    0.77.109.52.in-addr.arpa

  • 8.8.8.8:53
    27.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    27.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    95KB

    MD5

    86bf518e82a0c09ec3939115718a646f

    SHA1

    9eb15f30768b7731174ac8858fd94230dfbac7df

    SHA256

    d8173dfb9e24e9a7e4baa305819c3f85ddd61ce810c446bd5f136e97c2f06a6f

    SHA512

    5641e619d06b12eb1ec2f92f51363fd1bfbf3d9175be78993087ff8b9e652bc1d68a468a1dc2e97924f5053989d7f5111302ed395c76535a054a656fba846121

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    95KB

    MD5

    86bf518e82a0c09ec3939115718a646f

    SHA1

    9eb15f30768b7731174ac8858fd94230dfbac7df

    SHA256

    d8173dfb9e24e9a7e4baa305819c3f85ddd61ce810c446bd5f136e97c2f06a6f

    SHA512

    5641e619d06b12eb1ec2f92f51363fd1bfbf3d9175be78993087ff8b9e652bc1d68a468a1dc2e97924f5053989d7f5111302ed395c76535a054a656fba846121

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    95KB

    MD5

    86bf518e82a0c09ec3939115718a646f

    SHA1

    9eb15f30768b7731174ac8858fd94230dfbac7df

    SHA256

    d8173dfb9e24e9a7e4baa305819c3f85ddd61ce810c446bd5f136e97c2f06a6f

    SHA512

    5641e619d06b12eb1ec2f92f51363fd1bfbf3d9175be78993087ff8b9e652bc1d68a468a1dc2e97924f5053989d7f5111302ed395c76535a054a656fba846121

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misids.exe
    Filesize

    315B

    MD5

    a34ac19f4afae63adc5d2f7bc970c07f

    SHA1

    a82190fc530c265aa40a045c21770d967f4767b8

    SHA256

    d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

    SHA512

    42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    Download Submit

  • memory/3152-150-0x0000000000450000-0x0000000000453000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3152-153-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3152-154-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4068-133-0x00000000004F0000-0x00000000004F3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4068-134-0x00000000005B0000-0x00000000005B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4068-135-0x00000000005B0000-0x00000000005B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4068-136-0x00000000005D0000-0x00000000005D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4068-152-0x00000000004F0000-0x00000000004F3000-memory.dmp

    Filesize

    12KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.