Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fb0c71d71e...32.exe

windows7-x64

10

fb0c71d71e...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2023, 19:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe

  • Size

    204KB

  • MD5

    fb0c71d71ee6d447a5c498cd12f4f050

  • SHA1

    c03638ae78e882d1e1b59b5a6654772100bc024b

  • SHA256

    3f101c958bf7aaacfcd0a8285595583282ab9a02df2f98367004edda7eaf7763

  • SHA512

    410eb5cd3bbb328207a47b42b8d7cd5b92e696af0ef0703e4849578a4892be6214113c44e067544e960dd8c39064d2c9e2c1d476e01b369d3fe4199653ec9fb0

  • SSDEEP

    3072:lOmsW8f0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWBc:l5hs4QxL7B9W0c1RCzR/fSmlH

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\xiiol.exe
      "C:\Users\Admin\xiiol.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:844

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.210.247.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.210.247.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ns1.spansearcher.net
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spansearcher.net
    IN A
    Response
  • flag-us
    DNS
    ns1.spinsearcher.org
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
  • flag-us
    DNS
    ns1.spinsearcher.org
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
  • flag-us
    DNS
    ns1.spinsearcher.org
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
  • flag-us
    DNS
    ns1.spinsearcher.org
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
  • flag-us
    DNS
    ns1.spinsearcher.org
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ns1.player1352.net
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    107.178.223.183
    ns1.player1352.net
    IN A
    104.155.138.21
  • flag-us
    DNS
    ns1.player1352.net
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    107.178.223.183
    ns1.player1352.net
    IN A
    104.155.138.21
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    210.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.143.182.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    254.210.247.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.210.247.8.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    ns1.spansearcher.net
    dns
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    66 B
     139 B
     1
    1

    DNS Request

    ns1.spansearcher.net

  • 8.8.8.8:53
    ns1.spinsearcher.org
    dns
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    330 B
     5

    DNS Request

    ns1.spinsearcher.org

    DNS Request

    ns1.spinsearcher.org

    DNS Request

    ns1.spinsearcher.org

    DNS Request

    ns1.spinsearcher.org

    DNS Request

    ns1.spinsearcher.org

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
    128 B
     192 B
     2
    2

    DNS Request

    ns1.player1352.net

    DNS Request

    ns1.player1352.net

    DNS Response

    107.178.223.183
    104.155.138.21

    DNS Response

    107.178.223.183
    104.155.138.21

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    210.143.182.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    210.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xiiol.exe
    Filesize

    204KB

    MD5

    4af00e60fd8a2a400f89fc593fb874e7

    SHA1

    38a7910d77fb4ffb00cb3a5b4840dcf4c49d831a

    SHA256

    5e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814

    SHA512

    b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f

    Download Submit

  • C:\Users\Admin\xiiol.exe
    Filesize

    204KB

    MD5

    4af00e60fd8a2a400f89fc593fb874e7

    SHA1

    38a7910d77fb4ffb00cb3a5b4840dcf4c49d831a

    SHA256

    5e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814

    SHA512

    b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f

    Download Submit

  • C:\Users\Admin\xiiol.exe
    Filesize

    204KB

    MD5

    4af00e60fd8a2a400f89fc593fb874e7

    SHA1

    38a7910d77fb4ffb00cb3a5b4840dcf4c49d831a

    SHA256

    5e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814

    SHA512

    b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.