Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

e934fc0e92...d6.exe

windows7-x64

7

e934fc0e92...d6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 16:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e934fc0e92466c4a9e27bc31ff8f95d6.exe

  • Size

    10.2MB

  • MD5

    e934fc0e92466c4a9e27bc31ff8f95d6

  • SHA1

    0b5e3c0d85f46b669cea9b90237bdcab0dc20d92

  • SHA256

    e71ce4be2e5a9f32ae420ffb34fa12db0bf43f5a2e3c8a8367c203445a3830d3

  • SHA512

    b07de321bd245c27fbfc51c1489bbb90f22e2af9e472f78b3cb1775a7f47842a1a0e1034fe46b416a97f605f36b266e40c39c0709227ba9d14fabb33ebaa6e5f

  • SSDEEP

    98304:LQePPwOWqhI83S11qronI0Iy5fKP7grvYLS3dhgOnxX2ey931a3S11qronI0Iy5x:LQePPxWqSa0j9lhJxX27hva0j9

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe
    "C:\Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe
      C:\Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:1136

Network

  • flag-us
    DNS
    cutit.org
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    64.91.240.248
  • flag-us
    GET
    https://cutit.org/oxgBR
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    64.91.240.248:443
    Request
    GET /oxgBR HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: cutit.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 24 Dec 2023 05:45:15 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
    X-Powered-By: PHP/5.4.16
    Connection: close
    Cache-Control: no-cache
    Pragma: no-cache
    Location: http://ww12.cutit.org/oxgBR?usid=25&utid=4389951157
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    ww12.cutit.org
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    8.8.8.8:53
    Request
    ww12.cutit.org
    IN A
    Response
    ww12.cutit.org
    IN CNAME
    726512.parkingcrew.net
    726512.parkingcrew.net
    IN A
    76.223.26.96
    726512.parkingcrew.net
    IN A
    13.248.148.254
  • flag-us
    DNS
    ww12.cutit.org
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    8.8.8.8:53
    Request
    ww12.cutit.org
    IN A
  • flag-us
    DNS
    ww12.cutit.org
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    8.8.8.8:53
    Request
    ww12.cutit.org
    IN A
  • flag-us
    GET
    http://ww12.cutit.org/oxgBR?usid=25&utid=4389951157
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Remote address:
    76.223.26.96:80
    Request
    GET /oxgBR?usid=25&utid=4389951157 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: ww12.cutit.org
    Response
    HTTP/1.1 200 OK
    Date: Sun, 24 Dec 2023 05:45:21 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: nginx
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    X-Buckets: bucket011
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_iMD3dGfKzRIEJUeI/7wOE8FhNf0Cdhbj97KpvrauT6CZx6EhdVWSJ8RADi0R7w8e4hChqyrVar9m0+idrOh3bw==
    X-Template: tpl_CleanPeppermintBlack_twoclick
    X-Language: english
    Accept-CH: viewport-width
    Accept-CH: dpr
    Accept-CH: device-memory
    Accept-CH: rtt
    Accept-CH: downlink
    Accept-CH: ect
    Accept-CH: ua
    Accept-CH: ua-full-version
    Accept-CH: ua-platform
    Accept-CH: ua-platform-version
    Accept-CH: ua-arch
    Accept-CH: ua-model
    Accept-CH: ua-mobile
    Accept-CH-Lifetime: 30
    X-Domain: cutit.org
    X-Subdomain: ww12
  • 64.91.240.248:443
    https://cutit.org/oxgBR
    tls, http
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    1.3kB
     3.4kB
     13
    9

    HTTP Request

    GET https://cutit.org/oxgBR

    HTTP Response

    302
  • 76.223.26.96:80
    http://ww12.cutit.org/oxgBR?usid=25&utid=4389951157
    http
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    1.0kB
     18.0kB
     17
    22

    HTTP Request

    GET http://ww12.cutit.org/oxgBR?usid=25&utid=4389951157

    HTTP Response

    200
  • 8.8.8.8:53
    cutit.org
    dns
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    55 B
     71 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    64.91.240.248

  • 8.8.8.8:53
    ww12.cutit.org
    dns
    e934fc0e92466c4a9e27bc31ff8f95d6.exe
    180 B
     128 B
     3
    1

    DNS Request

    ww12.cutit.org

    DNS Request

    ww12.cutit.org

    DNS Request

    ww12.cutit.org

    DNS Response

    76.223.26.96
    13.248.148.254

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Filesize

    47KB

    MD5

    07219d89f1c6b06079ede4e0114a8114

    SHA1

    ffbee954406f41de2290b18fb1b9b462cb6f882f

    SHA256

    5839d844f9052ddba8231e5b1e8ea1321d434bdbe5ced61e626b62f3d7a00a8d

    SHA512

    d7d492ecb13105491aed9bc6c75dfb4c6a7f1ad03189884ef2a1fb27552abfef54b7879720ce24bcffd0bdb9a6289991225788863f87b351bc44368b53f3c142

    Download Submit

  • \Users\Admin\AppData\Local\Temp\e934fc0e92466c4a9e27bc31ff8f95d6.exe
    Filesize

    382KB

    MD5

    afc8be4fc7c581c2394149cf7fa39133

    SHA1

    88711d89d643f0f51ab974e8f144c2a38bbc069d

    SHA256

    3f2837a58f03b8f59a51584761766862b03b8a806f7cfb0f0a38fb580de99b20

    SHA512

    cb0f166b4c8ce055b9a5c77fffdd9a0323aecd556134efcb24bf00447482751d3760ba52e0857a94f0c098ccc655fcb5d40b96a7ac5ca23066bb1450506f8135

    Download Submit

  • memory/1136-18-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1136-20-0x0000000001FA0000-0x00000000021FA000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1136-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-1-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1748-2-0x00000000021D0000-0x000000000242A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1748-16-0x0000000004CD0000-0x000000000566E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-15-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1748-43-0x0000000004CD0000-0x000000000566E000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.