Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
230s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 23:03 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
Resource
win10v2004-20230915-en
General
-
Target
a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
-
Size
11.5MB
-
MD5
ba34311071e0424ac600d01ff443955b
-
SHA1
1a2da56a643b9ae481d02d6dd779896169e90de0
-
SHA256
a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127
-
SHA512
f8ba5b79759f0b844434d231562b33aec4ef8d9b0e296fbce2949fb865cd91ee32babbf3551315f90a7350e8f683d9f2e836158a0780925f654c9715cdca34f0
-
SSDEEP
196608:8g6hakZlHYaYjfhaLAf1csxAr3mc9BDalQsfu2K6JlsRK87:QhXLYBjfbysxAr3mc9sCaJSRX7
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0007000000022cbf-3.dat aspack_v212_v242 -
Loads dropped DLL 2 IoCs
pid Process 1400 a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe 1400 a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1400 a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
Processes
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.208.79.178.in-addr.arpaIN PTRResponse1.208.79.178.in-addr.arpaIN PTRhttps-178-79-208-1amsllnwnet
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.81.21.72.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.105.26.67.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlicvip1.maposafe.comIN AResponselicvip1.maposafe.comIN A180.188.22.217
-
Remote address:8.8.8.8:53Requestbaklogin.maposafe.comIN AResponsebaklogin.maposafe.comIN CNAMEbaklogin.maposafe.com.cdn.dnsv1.com.cnbaklogin.maposafe.com.cdn.dnsv1.com.cnIN CNAMEj5nago0n.sched.sma.tdnsv5.comj5nago0n.sched.sma.tdnsv5.comIN A61.243.158.136j5nago0n.sched.sma.tdnsv5.comIN A218.60.51.110j5nago0n.sched.sma.tdnsv5.comIN A123.6.40.190j5nago0n.sched.sma.tdnsv5.comIN A61.243.158.245j5nago0n.sched.sma.tdnsv5.comIN A122.189.171.106j5nago0n.sched.sma.tdnsv5.comIN A36.248.64.77j5nago0n.sched.sma.tdnsv5.comIN A123.6.40.84j5nago0n.sched.sma.tdnsv5.comIN A42.56.78.61j5nago0n.sched.sma.tdnsv5.comIN A202.97.231.60j5nago0n.sched.sma.tdnsv5.comIN A218.60.51.58j5nago0n.sched.sma.tdnsv5.comIN A61.243.158.204j5nago0n.sched.sma.tdnsv5.comIN A61.243.158.244j5nago0n.sched.sma.tdnsv5.comIN A61.243.158.194
-
POSThttp://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exeRemote address:61.243.158.136:80RequestPOST /wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28 HTTP/1.0
Host:baklogin.maposafe.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 350
Connection:keep-alive
ResponseHTTP/1.1 200 OK
Date: Tue, 17 Oct 2023 15:15:55 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
X-Cache-Lookup: Cache Miss
X-Cache-Lookup: Hit From Upstream Cluster
X-NWS-LOG-UUID: 7657155911396916924
Connection: keep-alive
X-Cache-Lookup: Cache Miss
-
Remote address:8.8.8.8:53Request136.158.243.61.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request38.148.119.40.in-addr.arpaIN PTRResponse
-
180.188.22.217:80licvip1.maposafe.coma9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe104 B 2
-
61.243.158.136:80http://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28httpa9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe906 B 1.4kB 7 7
HTTP Request
POST http://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.208.79.178.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 142 B 1 1
DNS Request
240.81.21.72.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.173.189.20.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.105.26.67.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
8.8.8.8:53licvip1.maposafe.comdnsa9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe66 B 82 B 1 1
DNS Request
licvip1.maposafe.com
DNS Response
180.188.22.217
-
8.8.8.8:53baklogin.maposafe.comdnsa9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe67 B 367 B 1 1
DNS Request
baklogin.maposafe.com
DNS Response
61.243.158.136218.60.51.110123.6.40.19061.243.158.245122.189.171.10636.248.64.77123.6.40.8442.56.78.61202.97.231.60218.60.51.5861.243.158.20461.243.158.24461.243.158.194
-
73 B 132 B 1 1
DNS Request
136.158.243.61.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
38.148.119.40.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD514a4d83af50c93b1e5049e299e2ae93e
SHA18d47d7fe0e7e289c0d1d1a778ff713e8b976160e
SHA256211bcaf4a5e850653e40a37d63f27479503d793053f801fd9d9a3238c463746b
SHA512f02828c3a03c316396b3a1036799b38ca6d764d4dad430a9460a7253ccad98cb9a4f4fc15a1ee1cbc80cf2105c6e104dda41d5455c7c2378c9dc71de17fe2727
-
Filesize
6.1MB
MD5d7beff9a0702ee3433e352920a158306
SHA1c659cd53a89b3ba8449b8040bc1b03f0fbafaeb6
SHA25612a3ecd17726e69fec15fca91d3e14cfe0657a3ee90bb3ff13ee10b4535b881f
SHA5127779d789056f345c2ca1a8f0dbbda860cedd64a8867255fa92786ab6a3789ff75acb771b2be75faa74408b5c9166e474f31424f0d34f1dccc59d5be9efcf65f1