Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

Invoice 005780013.exe

windows7-x64

1

Invoice 005780013.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 00:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice 005780013.exe

  • Size

    764KB

  • MD5

    4ca48341486cc3b16b8d5af405fc46c0

  • SHA1

    8ea5b6cf0198aab1eca0ddee14182e8fd6d38935

  • SHA256

    820e1b2bff7decc1832bc8804a8329eb79278bcffce98a525fd12de46f89fffb

  • SHA512

    4bfe7086f208a8cea401fb47a3291660e8ff1fe9c564199ca15daf31ce5bd4c4700a0f887a3d79153c343662d3b3b65aa4b9235bd1a1862943366e5ff81cf245

  • SSDEEP

    12288:2iMri507DfNdCX446rveSnC9JqbVooxS/KbLZPj/+DQyoNb8hsOvOpZ8iOg:297NdCX4BvewC9YbVooxSinlj/QQyoJp

Score
3/10

Malware Config

Signatures

  • Program crash 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice 005780013.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice 005780013.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4532
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1976
      2⤵
      • Program crash
      PID:1816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1992
      2⤵
      • Program crash
      PID:752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4532 -ip 4532
    1⤵
      PID:3312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4532 -ip 4532
      1⤵
        PID:3668

      Network

      • flag-us
        DNS
        74.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        2.136.104.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.136.104.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        qu.ax
        Invoice 005780013.exe
        Remote address:
        8.8.8.8:53
        Request
        qu.ax
        IN A
        Response
        qu.ax
        IN A
        45.76.147.85
      • flag-sg
        GET
        https://qu.ax/zSib.mp4
        Invoice 005780013.exe
        Remote address:
        45.76.147.85:443
        Request
        GET /zSib.mp4 HTTP/1.1
        Host: qu.ax
        Connection: Keep-Alive
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Fri, 06 Oct 2023 00:39:25 GMT
        Content-Type: text/html
        Content-Length: 12273
        Connection: keep-alive
        Last-Modified: Sun, 05 Jun 2022 14:37:48 GMT
        Cache-Control: public, max-age=2592000
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      • flag-us
        DNS
        9.228.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        9.228.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        85.147.76.45.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        85.147.76.45.in-addr.arpa
        IN PTR
        Response
        85.147.76.45.in-addr.arpa
        IN PTR
        457614785vultrusercontentcom
      • flag-us
        DNS
        59.128.231.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        59.128.231.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        57.169.31.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        57.169.31.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 411543
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 1562A25B53C04B0E813537BCE505906A Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:02Z
        date: Fri, 06 Oct 2023 00:40:01 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 202205
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 62DF1577496D49ABA47DFE25C3D09C13 Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:02Z
        date: Fri, 06 Oct 2023 00:40:01 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 360487
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: AA675A3454584E908019E4C42F3072E6 Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:02Z
        date: Fri, 06 Oct 2023 00:40:01 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 373128
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 86BA8C9A725F42F1A4029F7E87264D59 Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:02Z
        date: Fri, 06 Oct 2023 00:40:01 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 238322
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: FDC8648E15914BE380E45B661648A1DF Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:02Z
        date: Fri, 06 Oct 2023 00:40:01 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 366277
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: A68928AAFFBC460F92CDF7FCB66B947A Ref B: AMS04EDGE2017 Ref C: 2023-10-06T00:40:06Z
        date: Fri, 06 Oct 2023 00:40:05 GMT
      • flag-us
        DNS
        1.202.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.202.248.87.in-addr.arpa
        IN PTR
        Response
        1.202.248.87.in-addr.arpa
        IN PTR
        https-87-248-202-1amsllnwnet
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • 45.76.147.85:443
        https://qu.ax/zSib.mp4
        tls, http
        Invoice 005780013.exe
        1.0kB
         17.9kB
         15
        20

        HTTP Request

        GET https://qu.ax/zSib.mp4

        HTTP Response

        404
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         8.3kB
         16
        14
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4
        tls, http2
        76.0kB
         2.0MB
         1472
        1468

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         8.3kB
         16
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         8.3kB
         16
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         8.3kB
         16
        14
      • 8.8.8.8:53
        74.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        74.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        2.136.104.51.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        2.136.104.51.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        qu.ax
        dns
        Invoice 005780013.exe
        51 B
         67 B
         1
        1

        DNS Request

        qu.ax

        DNS Response

        45.76.147.85

      • 8.8.8.8:53
        9.228.82.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        9.228.82.20.in-addr.arpa

      • 8.8.8.8:53
        85.147.76.45.in-addr.arpa
        dns
        71 B
         118 B
         1
        1

        DNS Request

        85.147.76.45.in-addr.arpa

      • 8.8.8.8:53
        59.128.231.4.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        59.128.231.4.in-addr.arpa

      • 8.8.8.8:53
        57.169.31.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        57.169.31.20.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
        103.169.127.40.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        103.169.127.40.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
         173 B
         1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        1.202.248.87.in-addr.arpa
        dns
        71 B
         116 B
         1
        1

        DNS Request

        1.202.248.87.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4532-0-0x0000000000960000-0x0000000000A26000-memory.dmp

        Filesize

        792KB

        Download

      • memory/4532-1-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4532-2-0x0000000005580000-0x0000000005590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-3-0x0000000001540000-0x0000000001548000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4532-4-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.