Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 17:15 UTC

General

  • Target

    fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

  • Size

    3.2MB

  • MD5

    fcb579a08d6e49d0e3c83c6e3bc5b0ef

  • SHA1

    0840884b8413fb493e4c41ca410067da224ae52c

  • SHA256

    adb24ee3f3e0221171ce77c69ac11d7e7da7b4c87d44f6a0693f46c9cf8183ee

  • SHA512

    816ce1df1e02e832cc6ba8d1ab953fac015479eeb9949a7e36094d6d96493bf528924c01d1d36bbdce89f3bc47d590b9a0459df9e1f97df02420b42f3f520316

  • SSDEEP

    98304:Mv7VmjNRSimqLIU2lcakcejkIX+MylDCLCcakcK4bCEUJk1dUcakcejkIX+MylDA:ubimST+dlewo+v6CdlKmCadUdlewo+vM

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
    "C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN uhTCmbCqd877 > C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe" /TN uhTCmbCqd877 /F
    1⤵
    • Creates scheduled task(s)
    PID:1712
  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Query /XML /TN uhTCmbCqd877
    1⤵
      PID:2604

    Network

    • flag-us
      DNS
      pastebin.com
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      172.67.34.170
      pastebin.com
      IN A
      104.20.68.143
      pastebin.com
      IN A
      104.20.67.143
    • flag-us
      DNS
      cutit.org
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      Remote address:
      8.8.8.8:53
      Request
      cutit.org
      IN A
      Response
      cutit.org
      IN A
      64.91.240.248
    • flag-us
      GET
      https://cutit.org/oxgBR
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      Remote address:
      64.91.240.248:443
      Request
      GET /oxgBR HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Host: cutit.org
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Fri, 22 Dec 2023 23:17:15 GMT
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
      X-Powered-By: PHP/5.4.16
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 1954
      Content-Type: text/html; charset=UTF-8
    • 172.67.34.170:443
      pastebin.com
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      190 B
      92 B
      4
      2
    • 64.91.240.248:443
      https://cutit.org/oxgBR
      tls, http
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      1.2kB
      5.4kB
      11
      9

      HTTP Request

      GET https://cutit.org/oxgBR

      HTTP Response

      200
    • 8.8.8.8:53
      pastebin.com
      dns
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      58 B
      106 B
      1
      1

      DNS Request

      pastebin.com

      DNS Response

      172.67.34.170
      104.20.68.143
      104.20.67.143

    • 8.8.8.8:53
      cutit.org
      dns
      fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe
      55 B
      71 B
      1
      1

      DNS Request

      cutit.org

      DNS Response

      64.91.240.248

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\EO50skVJg.xml

      Filesize

      1KB

      MD5

      0d920ce95703f86ebe26b21962e9a4e0

      SHA1

      9e91e7b21e162cb2b32c517fb60a37a154b36beb

      SHA256

      d9e596015a97a4081bb0393c017e1e9339c2dbfdb833e47978d5edf91c547b05

      SHA512

      4d41892c83d8064d4c91c0a680fd38dc9e535bed6862696f76c23c1d8164597a2f2ae54537ff9de6f48cb2caa27a1efe6be4c63f3d30957c48ba82d6e13377ee

    • C:\Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

      Filesize

      92KB

      MD5

      46ff5764136c97005179b952d347e133

      SHA1

      9957f973df1924349041e60a42c513a9b405b4e3

      SHA256

      339fcb88afc093d77d334017ae457fb822b6f882711dba997576a85fa254aedb

      SHA512

      9682c7f73a200a4b83d8ac3922a37dce1158ca452f429a44f089845765ef3cced4bb2c5220284e9729e7f0b724cffad0c1cc55221d50dc926460449cba117ec2

    • \Users\Admin\AppData\Local\Temp\fcb579a08d6e49d0e3c83c6e3bc5b0ef.exe

      Filesize

      72KB

      MD5

      68c9c396de778959f8a9283018e35ee4

      SHA1

      b338ae5193bf0e77ade9b7a28bf73ef778554388

      SHA256

      44b9f8a21841183054609a95feee27a5e241f83210c4483cfd726046dc5d59ab

      SHA512

      336f554c05af2fe700591194a3e8a294fbcb1c992277bb81039ae56a01715ae02840aebad22d9d4d0ef50729edf527ecda67bba1b5fc1e24cd29c2c1ab04a1b7

    • memory/2100-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2100-16-0x0000000023680000-0x00000000238DC000-memory.dmp

      Filesize

      2.4MB

    • memory/2100-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2100-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/2100-3-0x0000000000280000-0x00000000002FE000-memory.dmp

      Filesize

      504KB

    • memory/2100-53-0x0000000023680000-0x00000000238DC000-memory.dmp

      Filesize

      2.4MB

    • memory/2832-20-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2832-31-0x0000000000390000-0x00000000003FB000-memory.dmp

      Filesize

      428KB

    • memory/2832-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2832-22-0x0000000022DC0000-0x0000000022E3E000-memory.dmp

      Filesize

      504KB

    • memory/2832-54-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.