Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

7

Resubmissions

04/08/2023, 06:36 UTC

230804-hcw6tsba3v 7

04/08/2023, 04:51 UTC

230804-fgx8kshf35 7

Analysis

  • max time kernel
    120s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    04/08/2023, 04:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe

  • Size

    432KB

  • MD5

    f376019d6ec0c38839a56bfb8d59f562

  • SHA1

    0333cea784d5ed59fd67619c27f053cdfd4221df

  • SHA256

    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08

  • SHA512

    13900b1fed10dfbe222ce6d65f8995ba79448b8472115eb26cf744ec6aa2e198e0a7543cc6141986f50f39cf767e7b327452e9cdb308e9bd5cb8568c45b6ef96

  • SSDEEP

    12288:mz7hU5I5yuNHIgzSFKxWltRohBfSTso93UyY1k:mf+iN57Gtene3A1k

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    "C:\Users\Admin\AppData\Local\Temp\dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2156

Network

  • flag-ru
    GET
    http://5.42.64.2/ip.php
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    Remote address:
    5.42.64.2:80
    Request
    GET /ip.php HTTP/1.1
    User-Agent: Ja9m-ae*8j-w-0R3KP9F
    Host: 5.42.64.2
    Response
    HTTP/1.1 200 OK
    Date: Fri, 04 Aug 2023 04:51:25 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Content-Length: 12
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    script.google.com
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    Remote address:
    8.8.8.8:53
    Request
    script.google.com
    IN A
    Response
    script.google.com
    IN A
    172.217.23.206
  • flag-de
    GET
    https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=testsc:Q5pSsYibZ1&ip=154.61.71.51
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    Remote address:
    172.217.23.206:443
    Request
    GET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=testsc:Q5pSsYibZ1&ip=154.61.71.51 HTTP/1.1
    User-Agent: Ja9m-ae*8j-w-0R3KP9F
    Host: script.google.com
    Response
    HTTP/1.1 302 Moved Temporarily
    Content-Type: text/html; charset=UTF-8
    Access-Control-Allow-Origin: *
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 04 Aug 2023 04:51:27 GMT
    Location: https://script.googleusercontent.com/macros/echo?user_content_key=zUKKNkkuwlgm4gBCfkpYIxKvZDAkqqyYMx6KxNZjxa9AuiZZgEiNytQyuMudp5aN-cx4utm-mDjdVJgZfBuwL4nkiRpqPvPNOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMzA99tazqmqO1Snp_YiXaWehHLgX6FPG5CrqAi9qdupvOP4c_Gdb07O&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: frame-ancestors 'self'
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Accept-Ranges: none
    Vary: Accept-Encoding
    Transfer-Encoding: chunked
  • flag-us
    DNS
    script.googleusercontent.com
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    Remote address:
    8.8.8.8:53
    Request
    script.googleusercontent.com
    IN A
    Response
    script.googleusercontent.com
    IN CNAME
    googlehosted.l.googleusercontent.com
    googlehosted.l.googleusercontent.com
    IN A
    142.251.36.1
  • flag-nl
    GET
    https://script.googleusercontent.com/macros/echo?user_content_key=zUKKNkkuwlgm4gBCfkpYIxKvZDAkqqyYMx6KxNZjxa9AuiZZgEiNytQyuMudp5aN-cx4utm-mDjdVJgZfBuwL4nkiRpqPvPNOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMzA99tazqmqO1Snp_YiXaWehHLgX6FPG5CrqAi9qdupvOP4c_Gdb07O&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    Remote address:
    142.251.36.1:443
    Request
    GET /macros/echo?user_content_key=zUKKNkkuwlgm4gBCfkpYIxKvZDAkqqyYMx6KxNZjxa9AuiZZgEiNytQyuMudp5aN-cx4utm-mDjdVJgZfBuwL4nkiRpqPvPNOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMzA99tazqmqO1Snp_YiXaWehHLgX6FPG5CrqAi9qdupvOP4c_Gdb07O&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D HTTP/1.1
    User-Agent: Ja9m-ae*8j-w-0R3KP9F
    Host: script.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/plain; charset=utf-8
    Access-Control-Allow-Origin: *
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 04 Aug 2023 04:51:27 GMT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: frame-ancestors 'self'
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Accept-Ranges: none
    Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
    Transfer-Encoding: chunked
  • 5.42.64.2:80
    http://5.42.64.2/ip.php
    http
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    311 B
     492 B
     5
    4

    HTTP Request

    GET http://5.42.64.2/ip.php

    HTTP Response

    200
  • 172.217.23.206:443
    https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=testsc:Q5pSsYibZ1&ip=154.61.71.51
    tls, http
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    1.0kB
     9.1kB
     11
    14

    HTTP Request

    GET https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=testsc:Q5pSsYibZ1&ip=154.61.71.51

    HTTP Response

    302
  • 142.251.36.1:443
    https://script.googleusercontent.com/macros/echo?user_content_key=zUKKNkkuwlgm4gBCfkpYIxKvZDAkqqyYMx6KxNZjxa9AuiZZgEiNytQyuMudp5aN-cx4utm-mDjdVJgZfBuwL4nkiRpqPvPNOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMzA99tazqmqO1Snp_YiXaWehHLgX6FPG5CrqAi9qdupvOP4c_Gdb07O&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
    tls, http
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    1.3kB
     10.2kB
     10
    13

    HTTP Request

    GET https://script.googleusercontent.com/macros/echo?user_content_key=zUKKNkkuwlgm4gBCfkpYIxKvZDAkqqyYMx6KxNZjxa9AuiZZgEiNytQyuMudp5aN-cx4utm-mDjdVJgZfBuwL4nkiRpqPvPNOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMzA99tazqmqO1Snp_YiXaWehHLgX6FPG5CrqAi9qdupvOP4c_Gdb07O&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D

    HTTP Response

    200
  • 8.8.8.8:53
    script.google.com
    dns
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    63 B
     79 B
     1
    1

    DNS Request

    script.google.com

    DNS Response

    172.217.23.206

  • 8.8.8.8:53
    script.googleusercontent.com
    dns
    dee5ececef7e335862abc110fd63838c25792dffb27ee5d05253fd0a6be44b08.exe
    74 B
     119 B
     1
    1

    DNS Request

    script.googleusercontent.com

    DNS Response

    142.251.36.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2156-54-0x0000000000240000-0x0000000000345000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2156-75-0x0000000000240000-0x0000000000345000-memory.dmp

    Filesize

    1.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.