Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f7645bad6a...ab.exe

windows7-x64

10

f7645bad6a...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2023, 11:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe

  • Size

    5.8MB

  • MD5

    16a2507de605b6a55d68ef1d376d1a9d

  • SHA1

    6f4514a456804ffc7f3edf3d6b72059df95201b1

  • SHA256

    f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab

  • SHA512

    facf23c25431b03aa615a8330e1978ec1ac4568ff7e21867b6bb09ad777a369fed97bb29a7277c449e5ca3183aff9ed83e252b23c5e5aa6f95712dab505339b1

  • SSDEEP

    98304:AqVQ4tml/iUm4XHb8vFtYkQ1rSz9rAmLJHORm6UJamI3LeojzZARZpkAdcc6IjWF:/J+jX7oDCrSpru+W3KMZkvdagNXhJs0I

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe
    "C:\Users\Admin\AppData\Local\Temp\f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\GameLoadep.exe
      C:\Windows\GameLoadep.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2864

Network

  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.158.241.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.158.241.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.151.241.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.151.241.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.77.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.77.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 106.52.15.123:80
    GameLoadep.exe
    260 B
     120 B
     5
    3
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     120 B
     5
    3
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     120 B
     5
    3
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     120 B
     5
    3
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     160 B
     5
    4
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     160 B
     5
    4
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     40 B
     5
    1
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     160 B
     5
    4
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     80 B
     5
    2
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     160 B
     5
    4
  • 36.111.172.221:8000
    GameLoadep.exe
    260 B
     200 B
     5
    5
  • 36.111.172.221:8000
    GameLoadep.exe
    52 B
     40 B
     1
    1
  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    254.158.241.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.158.241.8.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    126.151.241.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    126.151.241.8.in-addr.arpa

  • 8.8.8.8:53
    2.77.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    2.77.109.52.in-addr.arpa

  • 8.8.8.8:53
    9.179.89.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    9.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\GameLoadep.exe
    Filesize

    864KB

    MD5

    645a7e5dc4adc68141447b01cb9cec49

    SHA1

    2f83beeb3031aa238c8eba4ae04398ff38274780

    SHA256

    76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

    SHA512

    fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

    Download Submit

  • C:\Windows\GameLoadep.exe
    Filesize

    864KB

    MD5

    645a7e5dc4adc68141447b01cb9cec49

    SHA1

    2f83beeb3031aa238c8eba4ae04398ff38274780

    SHA256

    76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

    SHA512

    fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

    Download Submit

  • memory/2544-7392-0x0000000002970000-0x0000000002971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-134-0x0000000002970000-0x0000000002971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-136-0x0000000002970000-0x0000000002971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-7394-0x0000000002970000-0x0000000002971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-4015-0x00000000768D0000-0x0000000076A70000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2864-6024-0x0000000075BC0000-0x0000000075C3A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2864-140-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2864-141-0x00000000765B0000-0x00000000767C5000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2864-13211-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2864-13212-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2864-13214-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2864-13215-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2864-13216-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2864-13219-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.