Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    230s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 23:03 UTC

General

  • Target

    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe

  • Size

    11.5MB

  • MD5

    ba34311071e0424ac600d01ff443955b

  • SHA1

    1a2da56a643b9ae481d02d6dd779896169e90de0

  • SHA256

    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127

  • SHA512

    f8ba5b79759f0b844434d231562b33aec4ef8d9b0e296fbce2949fb865cd91ee32babbf3551315f90a7350e8f683d9f2e836158a0780925f654c9715cdca34f0

  • SSDEEP

    196608:8g6hakZlHYaYjfhaLAf1csxAr3mc9BDalQsfu2K6JlsRK87:QhXLYBjfbysxAr3mc9sCaJSRX7

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    "C:\Users\Admin\AppData\Local\Temp\a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:1400

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.208.79.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.208.79.178.in-addr.arpa
    IN PTR
    Response
    1.208.79.178.in-addr.arpa
    IN PTR
    https-178-79-208-1amsllnwnet
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.105.26.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.105.26.67.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    licvip1.maposafe.com
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    Remote address:
    8.8.8.8:53
    Request
    licvip1.maposafe.com
    IN A
    Response
    licvip1.maposafe.com
    IN A
    180.188.22.217
  • flag-us
    DNS
    baklogin.maposafe.com
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    Remote address:
    8.8.8.8:53
    Request
    baklogin.maposafe.com
    IN A
    Response
    baklogin.maposafe.com
    IN CNAME
    baklogin.maposafe.com.cdn.dnsv1.com.cn
    baklogin.maposafe.com.cdn.dnsv1.com.cn
    IN CNAME
    j5nago0n.sched.sma.tdnsv5.com
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    61.243.158.136
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    218.60.51.110
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    123.6.40.190
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    61.243.158.245
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    122.189.171.106
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    36.248.64.77
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    123.6.40.84
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    42.56.78.61
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    202.97.231.60
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    218.60.51.58
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    61.243.158.204
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    61.243.158.244
    j5nago0n.sched.sma.tdnsv5.com
    IN A
    61.243.158.194
  • flag-cn
    POST
    http://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    Remote address:
    61.243.158.136:80
    Request
    POST /wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28 HTTP/1.0
    Host:baklogin.maposafe.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 350
    Connection:keep-alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 17 Oct 2023 15:15:55 GMT
    Content-Type: text/html; charset=utf-8
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    X-Powered-By: PHP/7.4.33
    X-Cache-Lookup: Cache Miss
    X-Cache-Lookup: Hit From Upstream Cluster
    X-NWS-LOG-UUID: 7657155911396916924
    Connection: keep-alive
    X-Cache-Lookup: Cache Miss
  • flag-us
    DNS
    136.158.243.61.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.158.243.61.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    38.148.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    38.148.119.40.in-addr.arpa
    IN PTR
    Response
  • 180.188.22.217:80
    licvip1.maposafe.com
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    104 B
    2
  • 61.243.158.136:80
    http://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28
    http
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    906 B
    1.4kB
    7
    7

    HTTP Request

    POST http://baklogin.maposafe.com/wx2.php?s=1697555741-rhfrrwwrhphwfparaphnnlihebrvkval-0-02dd61dc47e55d30bec17a74573dbf28

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    1.208.79.178.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    1.208.79.178.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    240.81.21.72.in-addr.arpa
    dns
    71 B
    142 B
    1
    1

    DNS Request

    240.81.21.72.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    10.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    254.105.26.67.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    254.105.26.67.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    licvip1.maposafe.com
    dns
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    66 B
    82 B
    1
    1

    DNS Request

    licvip1.maposafe.com

    DNS Response

    180.188.22.217

  • 8.8.8.8:53
    baklogin.maposafe.com
    dns
    a9694d2955984b5518c2cf639d699bc175824c18608006f61a3985e9247b3127.exe
    67 B
    367 B
    1
    1

    DNS Request

    baklogin.maposafe.com

    DNS Response

    61.243.158.136
    218.60.51.110
    123.6.40.190
    61.243.158.245
    122.189.171.106
    36.248.64.77
    123.6.40.84
    42.56.78.61
    202.97.231.60
    218.60.51.58
    61.243.158.204
    61.243.158.244
    61.243.158.194

  • 8.8.8.8:53
    136.158.243.61.in-addr.arpa
    dns
    73 B
    132 B
    1
    1

    DNS Request

    136.158.243.61.in-addr.arpa

  • 8.8.8.8:53
    38.148.119.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    38.148.119.40.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1579481736\ui.dll

    Filesize

    2.6MB

    MD5

    14a4d83af50c93b1e5049e299e2ae93e

    SHA1

    8d47d7fe0e7e289c0d1d1a778ff713e8b976160e

    SHA256

    211bcaf4a5e850653e40a37d63f27479503d793053f801fd9d9a3238c463746b

    SHA512

    f02828c3a03c316396b3a1036799b38ca6d764d4dad430a9460a7253ccad98cb9a4f4fc15a1ee1cbc80cf2105c6e104dda41d5455c7c2378c9dc71de17fe2727

  • C:\Users\Admin\AppData\Local\Temp\1579481736\uimod.dll

    Filesize

    6.1MB

    MD5

    d7beff9a0702ee3433e352920a158306

    SHA1

    c659cd53a89b3ba8449b8040bc1b03f0fbafaeb6

    SHA256

    12a3ecd17726e69fec15fca91d3e14cfe0657a3ee90bb3ff13ee10b4535b881f

    SHA512

    7779d789056f345c2ca1a8f0dbbda860cedd64a8867255fa92786ab6a3789ff75acb771b2be75faa74408b5c9166e474f31424f0d34f1dccc59d5be9efcf65f1

  • memory/1400-21-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-19-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-8-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-10-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-12-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-9-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-1-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-24-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-22-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-20-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-7-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-0-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-18-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-26-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-28-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-29-0x0000000074620000-0x0000000074C62000-memory.dmp

    Filesize

    6.3MB

  • memory/1400-30-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-31-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-33-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-35-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-37-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-39-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

  • memory/1400-41-0x0000000000400000-0x00000000017D7000-memory.dmp

    Filesize

    19.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.