Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

f9829b33fd...a9.exe

windows7-x64

8

f9829b33fd...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    60s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2023, 21:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9829b33fdd63fca564aac7da5c096a9.exe

  • Size

    302KB

  • MD5

    f9829b33fdd63fca564aac7da5c096a9

  • SHA1

    98f3cec3696847ca5cfd25b451d0cc151a4a244f

  • SHA256

    31b9ea45a54ae375bc316c1810ce1953cccdeecdb53f599fa31c2739df4bbd6d

  • SHA512

    03e1a57c1082b0ac6ccd9d92cd9296067bf0b7a8ba30674804d9f5d9dc70849fe81f04747f58c965b1d00f8f86ef8ec23137b4c6f58c53a887153e5798b5cde0

  • SSDEEP

    6144:lvIj8NvygNcg+RoK0zat8GzwzkIXfYnPYEvaUy:lQjAyGjK0qjIQnA6aL

Score
8/10
persistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9829b33fdd63fca564aac7da5c096a9.exe
    "C:\Users\Admin\AppData\Local\Temp\f9829b33fdd63fca564aac7da5c096a9.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rmdir /S /Q "C:\Users\Admin\Cookies\"
      2⤵
        PID:5052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rmdir /S /Q "C:\Users\Admin\Application Data\Macromedia\Flash Player\"
        2⤵
          PID:3180

      Network

      • flag-us
        DNS
        71.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        208.194.73.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        208.194.73.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        208.194.73.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        208.194.73.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        189.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        189.178.17.96.in-addr.arpa
        IN PTR
        Response
        189.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-189deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        134.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.71.91.104.in-addr.arpa
        IN PTR
        Response
        134.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-134deploystaticakamaitechnologiescom
      • flag-us
        DNS
        134.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.71.91.104.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        210.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        210.178.17.96.in-addr.arpa
        IN PTR
        Response
        210.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-210deploystaticakamaitechnologiescom
      • flag-us
        DNS
        183.1.37.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.1.37.23.in-addr.arpa
        IN PTR
        Response
        183.1.37.23.in-addr.arpa
        IN PTR
        a23-37-1-183deploystaticakamaitechnologiescom
      • flag-us
        DNS
        119.110.54.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        119.110.54.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        137.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        137.71.91.104.in-addr.arpa
        IN PTR
        Response
        137.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-137deploystaticakamaitechnologiescom
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        209.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.178.17.96.in-addr.arpa
        IN PTR
        Response
        209.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-209deploystaticakamaitechnologiescom
      • flag-us
        DNS
        163.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        163.178.17.96.in-addr.arpa
        IN PTR
        Response
        163.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-163deploystaticakamaitechnologiescom
      • 124.217.253.6:80
        f9829b33fdd63fca564aac7da5c096a9.exe
        260 B
         5
      • 8.8.8.8:53
        71.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        71.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        208.194.73.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        208.194.73.20.in-addr.arpa

        DNS Request

        208.194.73.20.in-addr.arpa

      • 8.8.8.8:53
        189.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        189.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        146 B
         147 B
         2
        1

        DNS Request

        158.240.127.40.in-addr.arpa

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        146.78.124.51.in-addr.arpa
        dns
        216 B
         158 B
         3
        1

        DNS Request

        146.78.124.51.in-addr.arpa

        DNS Request

        146.78.124.51.in-addr.arpa

        DNS Request

        146.78.124.51.in-addr.arpa

      • 8.8.8.8:53
        103.169.127.40.in-addr.arpa
        dns
        365 B
         147 B
         5
        1

        DNS Request

        103.169.127.40.in-addr.arpa

        DNS Request

        103.169.127.40.in-addr.arpa

        DNS Request

        103.169.127.40.in-addr.arpa

        DNS Request

        103.169.127.40.in-addr.arpa

        DNS Request

        103.169.127.40.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        216 B
         146 B
         3
        1

        DNS Request

        15.164.165.52.in-addr.arpa

        DNS Request

        15.164.165.52.in-addr.arpa

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        134.71.91.104.in-addr.arpa
        dns
        144 B
         137 B
         2
        1

        DNS Request

        134.71.91.104.in-addr.arpa

        DNS Request

        134.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
        210.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        210.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        183.1.37.23.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        183.1.37.23.in-addr.arpa

      • 8.8.8.8:53
        119.110.54.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        119.110.54.20.in-addr.arpa

      • 8.8.8.8:53
        137.71.91.104.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        137.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        19.229.111.52.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        19.229.111.52.in-addr.arpa

        DNS Request

        19.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        209.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        209.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        163.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        163.178.17.96.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3304-0-0x0000000000400000-0x0000000001564000-memory.dmp

        Filesize

        17.4MB

        Download

      • memory/3304-6-0x0000000000400000-0x0000000001564000-memory.dmp

        Filesize

        17.4MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.