Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

16d83fca1d...cc.exe

windows7-x64

7

16d83fca1d...cc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    3s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 10:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16d83fca1d617f3ef4bf588f3916dfcc.exe

  • Size

    313KB

  • MD5

    16d83fca1d617f3ef4bf588f3916dfcc

  • SHA1

    3752a49e6b1dd7aee1cd76d8f25d9e6a5b258cda

  • SHA256

    16edb56c82656e8a52dd537a08320fc0e064653b1ee6de2319dbca535df22f21

  • SHA512

    11f1b939b58438839aab27b09d791b8f7096bfbe80ba4b6fc6ee3e86de5ba951dd9ea9017a803eb36e7f852e7645c906bfc62bd618a38d7b84a95ca5fad281c7

  • SSDEEP

    6144:Brb9uEo2S1YnQmCX492DkwNP3qpYFl2YyPuFITzyccux7rnrOzprCoMP:BrRu6/eIo4t3PuFITKUAk

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16d83fca1d617f3ef4bf588f3916dfcc.exe
    "C:\Users\Admin\AppData\Local\Temp\16d83fca1d617f3ef4bf588f3916dfcc.exe"
    1⤵
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin2308.bat"
      2⤵
        PID:2748

    Network

    • flag-us
      DNS
      r1.getapplicationmy.info
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      8.8.8.8:53
      Request
      r1.getapplicationmy.info
      IN A
      Response
      r1.getapplicationmy.info
      IN A
      94.229.72.125
    • flag-us
      DNS
      r1.getapplicationmy.info
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      8.8.8.8:53
      Request
      r1.getapplicationmy.info
      IN A
    • flag-us
      DNS
      c1.getapplicationmy.info
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      8.8.8.8:53
      Request
      c1.getapplicationmy.info
      IN A
      Response
      c1.getapplicationmy.info
      IN A
      108.59.12.100
    • flag-us
      DNS
      c1.getapplicationmy.info
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      8.8.8.8:53
      Request
      c1.getapplicationmy.info
      IN A
    • flag-gb
      POST
      http://r1.getapplicationmy.info/?report_version=5&
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      94.229.72.125:80
      Request
      POST /?report_version=5& HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: TixDll
      Host: r1.getapplicationmy.info
      Content-Length: 1871
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      cache-control: max-age=0, private, must-revalidate
      connection: close
      content-length: 11
      date: Tue, 26 Dec 2023 00:29:19 GMT
      location: http://survey-smiles.com
      server: nginx
      set-cookie: sid=cf90cd55-a385-11ee-9ef9-106073751085; path=/; domain=.getapplicationmy.info; expires=Sun, 13 Jan 2092 03:43:27 GMT; max-age=2147483647; HttpOnly
    • flag-us
      GET
      http://c1.getapplicationmy.info/?step_id=1&installer_id=7028761911694744293&publisher_id=821&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=0&download_id=1233088118402561957&external_id=0&session_id=15289403967216836407&hardware_id=8554571142266740696&files%2F=&ize=755KB&installer%2F=&_file_name=jfstdisfatta.rar&_file_name=jfstdisfatta.rar&product%2F=&product%2F=&product%2F=&_downloa=&_title=jfstdisfatta.rar&product_n=&reffer=http%3A%2F%2Ftusfiles.net%2F&product_file_name=error.txt&product_download_url=%3CServerUrl%3E%2Faddons%2Ferror.txt&filesize=
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      108.59.12.100:80
      Request
      GET /?step_id=1&installer_id=7028761911694744293&publisher_id=821&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=0&download_id=1233088118402561957&external_id=0&session_id=15289403967216836407&hardware_id=8554571142266740696&files%2F=&ize=755KB&installer%2F=&_file_name=jfstdisfatta.rar&_file_name=jfstdisfatta.rar&product%2F=&product%2F=&product%2F=&_downloa=&_title=jfstdisfatta.rar&product_n=&reffer=http%3A%2F%2Ftusfiles.net%2F&product_file_name=error.txt&product_download_url=%3CServerUrl%3E%2Faddons%2Ferror.txt&filesize= HTTP/1.1
      Accept: */*
      User-Agent: TixDll
      Host: c1.getapplicationmy.info
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
      cache-control: max-age=0, private, must-revalidate
      connection: close
      content-length: 982
      content-type: text/html; charset=utf-8
      date: Tue, 26 Dec 2023 00:29:20 GMT
      server: nginx
      set-cookie: sid=d0642f24-a385-11ee-b2e4-fa5f0c9703dd; path=/; domain=.getapplicationmy.info; expires=Sun, 13 Jan 2092 03:43:28 GMT; max-age=2147483647; HttpOnly
    • flag-us
      DNS
      survey-smiles.com
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      Remote address:
      8.8.8.8:53
      Request
      survey-smiles.com
      IN A
      Response
      survey-smiles.com
      IN A
      199.59.243.225
    • flag-gb
      POST
      http://r1.getapplicationmy.info/?report_version=5&
      Remote address:
      94.229.72.125:80
      Request
      POST /?report_version=5& HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded
      User-Agent: TixDll
      Host: r1.getapplicationmy.info
      Content-Length: 408
      Cache-Control: no-cache
      Cookie: sid=d0642f24-a385-11ee-b2e4-fa5f0c9703dd
      Response
      HTTP/1.1 302 Found
      cache-control: max-age=0, private, must-revalidate
      connection: close
      content-length: 11
      date: Tue, 26 Dec 2023 00:29:21 GMT
      location: http://survey-smiles.com
      server: nginx
    • flag-us
      GET
      http://survey-smiles.com/
      Remote address:
      199.59.243.225:80
      Request
      GET / HTTP/1.1
      Accept: */*
      Connection: Keep-Alive
      User-Agent: TixDll
      Cache-Control: no-cache
      Host: survey-smiles.com
      Response
      HTTP/1.1 200 OK
      date: Tue, 26 Dec 2023 00:29:24 GMT
      content-type: text/html; charset=utf-8
      content-length: 1021
      x-request-id: a6370ac7-bc83-4f7b-aa51-313043f24262
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TNA+5zAcuC8zFDIUlgADyF1DJLNUMdO2R648/pkg9lhWgcvsI62wu/JHrI4Qs5t09aOJmgUcGqHz7s3DHsuGGg==
      set-cookie: parking_session=a6370ac7-bc83-4f7b-aa51-313043f24262; expires=Tue, 26 Dec 2023 00:44:25 GMT; path=/
    • 94.229.72.125:80
      http://r1.getapplicationmy.info/?report_version=5&
      http
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      2.5kB
       658 B
       9
      7

      HTTP Request

      POST http://r1.getapplicationmy.info/?report_version=5&

      HTTP Response

      302
    • 108.59.12.100:80
      http://c1.getapplicationmy.info/?step_id=1&installer_id=7028761911694744293&publisher_id=821&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=0&download_id=1233088118402561957&external_id=0&session_id=15289403967216836407&hardware_id=8554571142266740696&files%2F=&ize=755KB&installer%2F=&_file_name=jfstdisfatta.rar&_file_name=jfstdisfatta.rar&product%2F=&product%2F=&product%2F=&_downloa=&_title=jfstdisfatta.rar&product_n=&reffer=http%3A%2F%2Ftusfiles.net%2F&product_file_name=error.txt&product_download_url=%3CServerUrl%3E%2Faddons%2Ferror.txt&filesize=
      http
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      933 B
       1.7kB
       6
      6

      HTTP Request

      GET http://c1.getapplicationmy.info/?step_id=1&installer_id=7028761911694744293&publisher_id=821&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=0&download_id=1233088118402561957&external_id=0&session_id=15289403967216836407&hardware_id=8554571142266740696&files%2F=&ize=755KB&installer%2F=&_file_name=jfstdisfatta.rar&_file_name=jfstdisfatta.rar&product%2F=&product%2F=&product%2F=&_downloa=&_title=jfstdisfatta.rar&product_n=&reffer=http%3A%2F%2Ftusfiles.net%2F&product_file_name=error.txt&product_download_url=%3CServerUrl%3E%2Faddons%2Ferror.txt&filesize=

      HTTP Response

      200
    • 199.59.243.225:80
      survey-smiles.com
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      104 B
       2
    • 94.229.72.125:80
      http://r1.getapplicationmy.info/?report_version=5&
      http
      977 B
       668 B
       7
      6

      HTTP Request

      POST http://r1.getapplicationmy.info/?report_version=5&

      HTTP Response

      302
    • 199.59.243.225:80
      http://survey-smiles.com/
      http
      499 B
       2.4kB
       8
      5

      HTTP Request

      GET http://survey-smiles.com/

      HTTP Response

      200
    • 8.8.8.8:53
      r1.getapplicationmy.info
      dns
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      140 B
       86 B
       2
      1

      DNS Request

      r1.getapplicationmy.info

      DNS Request

      r1.getapplicationmy.info

      DNS Response

      94.229.72.125

    • 8.8.8.8:53
      c1.getapplicationmy.info
      dns
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      140 B
       86 B
       2
      1

      DNS Request

      c1.getapplicationmy.info

      DNS Request

      c1.getapplicationmy.info

      DNS Response

      108.59.12.100

    • 8.8.8.8:53
      survey-smiles.com
      dns
      16d83fca1d617f3ef4bf588f3916dfcc.exe
      63 B
       79 B
       1
      1

      DNS Request

      survey-smiles.com

      DNS Response

      199.59.243.225

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.