Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
13/10/2023, 22:04 UTC
General
-
Target
5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe
-
Size
367KB
-
MD5
fd504368a55c9c18596bc73d503d9bad
-
SHA1
1611ac879df371a8ac1de17ca6813f4684f7f44b
-
SHA256
5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341
-
SHA512
9c55efb642a096dd0fca9633f60858fd9df8fcb771576da02685ffd01984f1c652b8ae141ffbca1e95fd7613b49d8d6cf2c02e6e0628bc87ea349bca15b6d1c4
-
SSDEEP
6144:hIgPXkuqyyrhzchRYL+RBhtIJDmazKrLu:hvFqyy6tptI7eu
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe"C:\Users\Admin\AppData\Local\Temp\5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5f144b5c595441bee0111a44da33e6933087898f52fc7b9ac0bc1e92b548b341.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
-
DNSscript.google.comRemote address:8.8.8.8:53Requestscript.google.comIN AResponsescript.google.comIN A172.217.23.206 -
GEThttp://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyRemote address:172.217.23.206:80RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sat, 14 Oct 2023 09:15:59 GMT
Location: https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
GEThttps://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyRemote address:172.217.23.206:443RequestGET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=empty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.google.com
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sat, 14 Oct 2023 09:16:01 GMT
Location: https://script.googleusercontent.com/macros/echo?user_content_key=raXAAC01xgieAeehMpK7YF6Cly2FD5_eFDkvoQq6O2noRC-lbXW9hNYB_cAleaot3Dv-kT6vOOlb_-RuUiARtLgpWaIb4q6bOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
DNSscript.googleusercontent.comRemote address:8.8.8.8:53Requestscript.googleusercontent.comIN AResponsescript.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.251.36.1
-
GEThttps://script.googleusercontent.com/macros/echo?user_content_key=raXAAC01xgieAeehMpK7YF6Cly2FD5_eFDkvoQq6O2noRC-lbXW9hNYB_cAleaot3Dv-kT6vOOlb_-RuUiARtLgpWaIb4q6bOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0DRemote address:142.251.36.1:443RequestGET /macros/echo?user_content_key=raXAAC01xgieAeehMpK7YF6Cly2FD5_eFDkvoQq6O2noRC-lbXW9hNYB_cAleaot3Dv-kT6vOOlb_-RuUiARtLgpWaIb4q6bOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: script.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sat, 14 Oct 2023 09:16:01 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
Transfer-Encoding: chunked
-
DNStrk.srcstat.comRemote address:8.8.8.8:53Requesttrk.srcstat.comIN AResponsetrk.srcstat.comIN CNAMExxe82.bmtrck.comxxe82.bmtrck.comIN A52.204.19.219
-
GEThttp://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALRemote address:52.204.19.219:80RequestGET /postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: trk.srcstat.com
ResponseHTTP/1.1 200 OK
Server: openresty
Date: Sat, 14 Oct 2023 09:16:01 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 134
Connection: keep-alive
Vary: Accept-Encoding
accept-ch: Sec-CH-UA,Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Full-Version,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Reduced
Access-Control-Allow-Origin: *
ETag: W/"86-W1anoWM3jbC0X5xVlSksmemF4cY"
X-Response-Time: 8.296ms
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
-
5.42.64.2:80 -
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
5.42.64.2:80
-
172.217.23.206:80http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyhttp
HTTP Request
GET http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyHTTP Response
301 -
172.217.23.206:443https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptytls, http
HTTP Request
GET https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222¶m=emptyHTTP Response
302 -
142.251.36.1:443https://script.googleusercontent.com/macros/echo?user_content_key=raXAAC01xgieAeehMpK7YF6Cly2FD5_eFDkvoQq6O2noRC-lbXW9hNYB_cAleaot3Dv-kT6vOOlb_-RuUiARtLgpWaIb4q6bOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0Dtls, http
HTTP Request
GET https://script.googleusercontent.com/macros/echo?user_content_key=raXAAC01xgieAeehMpK7YF6Cly2FD5_eFDkvoQq6O2noRC-lbXW9hNYB_cAleaot3Dv-kT6vOOlb_-RuUiARtLgpWaIb4q6bOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0DHTTP Response
200 -
52.204.19.219:80http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALhttp
HTTP Request
GET http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONALHTTP Response
200
-
8.8.8.8:53script.google.comdns
DNS Request
script.google.com
DNS Response
172.217.23.206
-
8.8.8.8:53script.googleusercontent.comdns
DNS Request
script.googleusercontent.com
DNS Response
142.251.36.1
-
8.8.8.8:53trk.srcstat.comdns
DNS Request
trk.srcstat.com
DNS Response
52.204.19.219
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
-
Filesize
248KB
-
Filesize
3.2MB
-
Filesize
1024KB
-
Filesize
248KB
-
Filesize
3.2MB
-
Filesize
3.2MB