Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 09:44 UTC

General

  • Target

    64bb34128b6642d69fa7725ce471bf21.exe

  • Size

    512KB

  • MD5

    64bb34128b6642d69fa7725ce471bf21

  • SHA1

    99e2dc43fbc4df406a32eea967634acba2f0e9c8

  • SHA256

    15a1ae756ab1355492d80a35a52e681ed5083cf4c92d0dd81552fa4a7ef33b58

  • SHA512

    b576e89c711a69a0ab124d32b7cefca52f37b62a7c0550039844c9d47b51d15676228ece965df038874b235716dac9174b7f768ee1c99af7efddb7b9bc004eff

  • SSDEEP

    12288:0+h9St2Ma70zIIc91Dwws4zruXic2O/3E4g:0+h9OY70z+warul3E4g

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64bb34128b6642d69fa7725ce471bf21.exe
    "C:\Users\Admin\AppData\Local\Temp\64bb34128b6642d69fa7725ce471bf21.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\n1899\s1899.exe
      "C:\Users\Admin\AppData\Local\Temp\n1899\s1899.exe" 46f9a147687eea12554a0c13exoExkSqd8uFsbFOul0mvkAEz7rmsxWZBAosg4rzDA0iy85BsUC0ZCI6WlnpB1YpPt4PD+giWfI9sq4XCVMq3nKxtj0Kwgz5mogTL7ZC5lzn4GVWW74jPU4NPU1gvXtJrsLMcoHgT/CmheMDgVJomzPV /v "C:\Users\Admin\AppData\Local\Temp\64bb34128b6642d69fa7725ce471bf21.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1976

Network

  • flag-us
    DNS
    ocsp.thawte.com
    s1899.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.thawte.com
    IN A
    Response
    ocsp.thawte.com
    IN CNAME
    mpki-ocsp.digicert.com
    mpki-ocsp.digicert.com
    IN CNAME
    fp3011.wpc.2be4.phicdn.net
    fp3011.wpc.2be4.phicdn.net
    IN CNAME
    fp3011.wpc.phicdn.net
    fp3011.wpc.phicdn.net
    IN A
    152.199.19.74
  • flag-us
    DNS
    ocsp.thawte.com
    s1899.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.thawte.com
    IN A
  • flag-us
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    s1899.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 6436
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 06 Jan 2024 08:41:07 GMT
    Last-Modified: Sat, 06 Jan 2024 06:53:51 GMT
    Server: ECAcc (lhc/789F)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-us
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    s1899.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 6436
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sat, 06 Jan 2024 08:41:07 GMT
    Last-Modified: Sat, 06 Jan 2024 06:53:51 GMT
    Server: ECAcc (lhc/789F)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-us
    DNS
    crl.thawte.com
    s1899.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.thawte.com
    IN A
    Response
    crl.thawte.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    GET
    http://crl.thawte.com/ThawtePCA.crl
    s1899.exe
    Remote address:
    192.229.221.95:80
    Request
    GET /ThawtePCA.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 1260
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Sat, 06 Jan 2024 08:41:07 GMT
    Last-Modified: Sat, 06 Jan 2024 08:20:07 GMT
    Server: ECAcc (lhd/35A2)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 604
  • flag-us
    DNS
    th.symcd.com
    s1899.exe
    Remote address:
    8.8.8.8:53
    Request
    th.symcd.com
    IN A
    Response
    th.symcd.com
    IN CNAME
    mpki-ocsp.digicert.com
    mpki-ocsp.digicert.com
    IN CNAME
    fp3011.wpc.2be4.phicdn.net
    fp3011.wpc.2be4.phicdn.net
    IN CNAME
    fp3011.wpc.phicdn.net
    fp3011.wpc.phicdn.net
    IN A
    152.199.19.74
  • flag-us
    GET
    http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D
    s1899.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: th.symcd.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 5408
    Cache-Control: public, max-age=86400
    Content-Type: application/ocsp-response
    Date: Sat, 06 Jan 2024 08:41:09 GMT
    Last-Modified: Sat, 06 Jan 2024 07:11:01 GMT
    Server: ECAcc (lhc/788E)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 1441
  • flag-us
    DNS
    d8fb9.northstar.api.socdn.com
    s1899.exe
    Remote address:
    8.8.8.8:53
    Request
    d8fb9.northstar.api.socdn.com
    IN A
    Response
    d8fb9.northstar.api.socdn.com
    IN CNAME
    615321.parkingcrew.net
    615321.parkingcrew.net
    IN A
    76.223.26.96
    615321.parkingcrew.net
    IN A
    13.248.148.254
  • flag-us
    GET
    http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/config
    s1899.exe
    Remote address:
    76.223.26.96:80
    Request
    GET /installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/config HTTP/1.1
    User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;u=Admin;northstar;ecc5fae7-eb08-7218-c1c2-03acf2904f5a)
    Accept-Language: en-US
    Host: d8fb9.northstar.api.socdn.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 06 Jan 2024 08:41:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: nginx
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    X-Redirect: skenzo
    X-Buckets: bucket011
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_bts5YEKjjRDY8YHbdfH4vP92WcfWkXCQhXLGQjlo+lRfWAEOCbR+OnrNO05Cw4xC7nZuUnHW4xldJcmcJ9wRuQ==
    X-Template: tpl_CleanPeppermintBlack_twoclick
    X-Language: english
    Accept-CH: viewport-width
    Accept-CH: dpr
    Accept-CH: device-memory
    Accept-CH: rtt
    Accept-CH: downlink
    Accept-CH: ect
    Accept-CH: ua
    Accept-CH: ua-full-version
    Accept-CH: ua-platform
    Accept-CH: ua-platform-version
    Accept-CH: ua-arch
    Accept-CH: ua-model
    Accept-CH: ua-mobile
    Accept-CH-Lifetime: 30
    X-Domain: socdn.com
    X-Subdomain: d8fb9.northstar.api
  • flag-us
    POST
    http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/event
    s1899.exe
    Remote address:
    76.223.26.96:80
    Request
    POST /installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/event HTTP/1.1
    User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;u=Admin;northstar;ecc5fae7-eb08-7218-c1c2-03acf2904f5a)
    Accept-Language: en-US
    Content-Type: application/x-www-form-urlencoded
    Host: d8fb9.northstar.api.socdn.com
    Content-Length: 4225
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Server: awselb/2.0
    Date: Sat, 06 Jan 2024 08:41:27 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 138
    Connection: keep-alive
  • 152.199.19.74:80
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    http
    s1899.exe
    783 B
    914 B
    6
    4

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200
  • 192.229.221.95:80
    http://crl.thawte.com/ThawtePCA.crl
    http
    s1899.exe
    357 B
    1.1kB
    5
    3

    HTTP Request

    GET http://crl.thawte.com/ThawtePCA.crl

    HTTP Response

    200
  • 152.199.19.74:80
    http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D
    http
    s1899.exe
    1.0kB
    2.0kB
    7
    4

    HTTP Request

    GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D

    HTTP Response

    200
  • 76.223.26.96:80
    d8fb9.northstar.api.socdn.com
    s1899.exe
    104 B
    2
  • 76.223.26.96:80
    http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/config
    http
    s1899.exe
    742 B
    3.5kB
    7
    7

    HTTP Request

    GET http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/config

    HTTP Response

    200
  • 76.223.26.96:80
    http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/event
    http
    s1899.exe
    5.5kB
    1.0kB
    16
    10

    HTTP Request

    POST http://d8fb9.northstar.api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/13278311/event

    HTTP Response

    403
  • 8.8.8.8:53
    ocsp.thawte.com
    dns
    s1899.exe
    122 B
    175 B
    2
    1

    DNS Request

    ocsp.thawte.com

    DNS Request

    ocsp.thawte.com

    DNS Response

    152.199.19.74

  • 8.8.8.8:53
    crl.thawte.com
    dns
    s1899.exe
    60 B
    200 B
    1
    1

    DNS Request

    crl.thawte.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    th.symcd.com
    dns
    s1899.exe
    58 B
    172 B
    1
    1

    DNS Request

    th.symcd.com

    DNS Response

    152.199.19.74

  • 8.8.8.8:53
    d8fb9.northstar.api.socdn.com
    dns
    s1899.exe
    75 B
    143 B
    1
    1

    DNS Request

    d8fb9.northstar.api.socdn.com

    DNS Response

    76.223.26.96
    13.248.148.254

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab955F.tmp

    Filesize

    7KB

    MD5

    07aec5663b56e6db03f6dc84b448ad65

    SHA1

    20c5ab398d8192d511291d9cbe3ac172c1cbbea8

    SHA256

    d399450f2ab44df2b4c7277ed701122368b63b1a4aeea6fb16c5805618e14834

    SHA512

    a1feab230c509348047517261ad4058ef8f34c68b112260229df9526a89638b39ad957eb8a160e0b77e1bd126a457853de9cec352316f74fb4a50c7d829061f9

  • C:\Users\Admin\AppData\Local\Temp\Tar9590.tmp

    Filesize

    91KB

    MD5

    62fb6771959d6b061ef7a4bee3459b89

    SHA1

    d918ff7bb088f92f5e93377fbd82de86afefbe95

    SHA256

    fd9f3da55ef6c09f3f3c9eb272e1477489887e98bd7835e4a0196b131f05a334

    SHA512

    6ae8d4b85c5bb6d7e368ee806000ce7570e6b80cf1433856d92f001263da8700b279f5f5da8c4aefc41cfe75c332935bae313b9e00edeb703629d2015a42b32d

  • C:\Users\Admin\AppData\Local\Temp\n1899\s1899.exe

    Filesize

    160KB

    MD5

    1a3c2921351a4667ca0899c434694cde

    SHA1

    268c06fa3cd56becbe99a2422714e91a3cb293b7

    SHA256

    b8fcb400a7d51906464d490ea7560f608537046a7f4688a4ac99d55467758aff

    SHA512

    82ecf6151bfe3e5d54cd5ac6e03703d7a1fd2ab75dbfd959212b5c3a5531116d563a2f03b780dc670f97f1cb0b55aca3283050d0937eaea06e98d40636f46925

  • \Users\Admin\AppData\Local\Temp\n1899\s1899.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • memory/1976-76-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-78-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-72-0x0000000000430000-0x0000000000442000-memory.dmp

    Filesize

    72KB

  • memory/1976-73-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-74-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-75-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-23-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-22-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

    Filesize

    9.6MB

  • memory/1976-77-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

    Filesize

    9.6MB

  • memory/1976-79-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-80-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

    Filesize

    9.6MB

  • memory/1976-81-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-82-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-83-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-84-0x0000000000380000-0x0000000000400000-memory.dmp

    Filesize

    512KB

  • memory/1976-85-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

    Filesize

    9.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.