Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 07:05 UTC

General

  • Target

    5b648b9054475b8496b7fe3e3d562f5a.exe

  • Size

    142KB

  • MD5

    5b648b9054475b8496b7fe3e3d562f5a

  • SHA1

    ce7321839540299a9c894bf1338ab6592aff9c4e

  • SHA256

    6da1bb18d50b9365e9b290dc2be93ec280a7b76a121023e4e453f400a3235ffe

  • SHA512

    8e14785c90ffc6c8837865f317852e04117ed5fb45c15c6e61bfd2c98a35d8f189c6f0fcb88bbaf13ba73417ac38e6142269f61dfa39bbb3c53a7842766bfcdf

  • SSDEEP

    3072:inOn7t7XpdpCCTg/sxFgJaeqgKJ+BCpC0BOAIiBMwLi70QNe+rH8R70AxpSQ8:iKpdcCrTdgK4nlidu4YVHo7mQ8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b648b9054475b8496b7fe3e3d562f5a.exe
    "C:\Users\Admin\AppData\Local\Temp\5b648b9054475b8496b7fe3e3d562f5a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\nsv4901.tmp\downloadmr.exe
      C:\Users\Admin\AppData\Local\Temp\nsv4901.tmp\downloadmr.exe /u4e8de351-1254-4bc4-803a-1e235bc06f2f /e2365298
      2⤵
      • Executes dropped EXE
      PID:840

Network

  • flag-us
    DNS
    23.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.177.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    api.downloadmr.com
    Remote address:
    8.8.8.8:53
    Request
    api.downloadmr.com
    IN A
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    4.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 20.231.121.79:80
    46 B
    1
  • 13.85.23.206:443
    46 B
    40 B
    1
    1
  • 8.8.8.8:53
    23.177.190.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    23.177.190.20.in-addr.arpa

    DNS Request

    23.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    api.downloadmr.com
    dns
    64 B
    132 B
    1
    1

    DNS Request

    api.downloadmr.com

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    360 B
    137 B
    5
    1

    DNS Request

    173.178.17.96.in-addr.arpa

    DNS Request

    173.178.17.96.in-addr.arpa

    DNS Request

    173.178.17.96.in-addr.arpa

    DNS Request

    173.178.17.96.in-addr.arpa

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    4.173.189.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    4.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsv4901.tmp\System.dll

    Filesize

    1KB

    MD5

    8143e59c2b92661b705733d2ac1abe10

    SHA1

    d9ac6750f186ad7025ce4e03082fc6b3116a3294

    SHA256

    298d293a33588c53853c11884f93bf103d0716cdb7fcfbb4f1efaaa8b9aeb5b3

    SHA512

    1eb9f318db0e5b409d61a8eb7a80016ac912bb7639b04b5ece8d10bedcf3881e52d27ee47769e37ba332e82bad3c826b633067557133b8fa7bce7dd4c436ad77

  • C:\Users\Admin\AppData\Local\Temp\nsv4901.tmp\downloadmr.exe

    Filesize

    23KB

    MD5

    30e635e76552612fdf529dd3208cb02d

    SHA1

    c36099c86f0b7781db2dcc672ad606143405f1d5

    SHA256

    fbc9d31b12a133d04e80b378c839e627c31c89a83fb815204e8086cad9ef1992

    SHA512

    78762f4d5a9335e36ffccaca5472ecf10755996a44aec7f5d195c8f1027a24ee6a67d3d363ff0b74b7a66984a9890df7c0af8ed25987516d04a38058a0c0d962

  • C:\Users\Admin\AppData\Local\Temp\nsv4901.tmp\downloadmr.exe

    Filesize

    9KB

    MD5

    da6da9c34888f7c6fa2b1cc46b4423f9

    SHA1

    c28dbca6af6e4f0e05997eb932b021c282582730

    SHA256

    602e2f046ce276dc479032a3dfdbd0bd267be8a00effbd73c8e72ec3f1ef7aa6

    SHA512

    9e6a2767ea0bc3ac916a20066aa6bb8b05acd0d90dde0adaff1ccaa5305c9777b561c74c3a637958346616d11fd01ca099a7252c58a29f7566bd9063251c55ca

  • memory/840-13-0x0000000074230000-0x00000000747E1000-memory.dmp

    Filesize

    5.7MB

  • memory/840-15-0x0000000074230000-0x00000000747E1000-memory.dmp

    Filesize

    5.7MB

  • memory/840-14-0x00000000011B0000-0x00000000011C0000-memory.dmp

    Filesize

    64KB

  • memory/840-17-0x00000000011B0000-0x00000000011C0000-memory.dmp

    Filesize

    64KB

  • memory/840-16-0x00000000011B0000-0x00000000011C0000-memory.dmp

    Filesize

    64KB

  • memory/840-18-0x00000000011B0000-0x00000000011C0000-memory.dmp

    Filesize

    64KB

  • memory/840-20-0x0000000074230000-0x00000000747E1000-memory.dmp

    Filesize

    5.7MB

  • memory/1688-24-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.