Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/08/2023, 07:08 UTC

General

  • Target

    ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe

  • Size

    25KB

  • MD5

    60f6e8250693d698945a9744a08aea75

  • SHA1

    c5391a4165c1df0686e7d312169c5881904a2bde

  • SHA256

    ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8

  • SHA512

    e8c353f365d835ee71dda5119cd6ac52f980d1639541a8c44eaf9eca8b2514b8f0af26e3e082c9219afcef63d271d9d03e3c7641608c99820c6a0462f3335e61

  • SSDEEP

    384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjv/+Vl:8Q3LotOPNSQVwVVxGKEvKHrV2l

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe
    "C:\Users\Admin\AppData\Local\Temp\ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\spoolsv.exe
      "C:\Windows\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      PID:1076

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.177.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.177.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    90.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.16.208.104.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    254.177.238.8.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    254.177.238.8.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    90.16.208.104.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    90.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    349KB

    MD5

    b52b2b139d128e200b9a6ae0442b25b0

    SHA1

    ef59b2b1461828144936cf5fd01435e394dec059

    SHA256

    91543fce51e1b0a22281e3213aa87a8a6f8279003dc50a2103f8f3c29c907f59

    SHA512

    f9cffe835718293d72bf78eb2a4206fe688d8d0dd1eb0045076caa53e9304d7b075cfc366b685337fe4f6558c7756ab8006b3fbf9b8e10c7e7e04a16d7a8da92

  • C:\Users\Admin\AppData\Local\Temp\TDLF8GD02OMACIq.exe

    Filesize

    25KB

    MD5

    e85618f74919ec8dc0161e08fa39904e

    SHA1

    c7a14a06aa22704226acd39a8b11639bd5c0d638

    SHA256

    b46acea9ec05e724354815194c67ee5b8a1bfda99e90171f2d9febd5d0921b8e

    SHA512

    9656da40c8777c357d610d02f7827fb5deef4914a0dff16b11224a09b404c2a31a9ec151763266d71cefb5c3d723eac4db34bd3c574917a1a5836c1eeb765200

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.