Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

1ffc2c26ab...b6.exe

windows7-x64

7

1ffc2c26ab...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 23:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ffc2c26ab31b537d7899a9f031db5b6.exe

  • Size

    10.7MB

  • MD5

    1ffc2c26ab31b537d7899a9f031db5b6

  • SHA1

    72d6e7350529d54db43ecc7fdaab04faa4ad2fae

  • SHA256

    edda1f75843df9a7fa61712ba133330248b20d0ed0d314ec11d2019750a73499

  • SHA512

    8c4bf2628de439499f37010ae4e73623beb4f487e4096e5d90ce1cd3cd850dbcd6287de084f7b42a21d5d0df31d4adf669e8185671a3429ec091dc94372aba9e

  • SSDEEP

    196608:XYcQl6YrAsgdsODCF6B/rAsgVt8Cr0rAsgdsODCF6B/rAsg:Ixs6AcOW6A/rreAcOW6A

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe
    "C:\Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe
      C:\Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:3040

Network

  • flag-us
    DNS
    zipansion.com
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    DNS
    zipansion.com
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
  • flag-us
    GET
    http://zipansion.com/2pRLi
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 01 Jan 2024 12:10:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=2t09ev83a7ukg9dps77ll61i1r; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721OBNX/2pRLi?rndad=1502943035-1704111041
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gOFDrUwmN1YWAisSf9VZqTlbjH%2Fr%2FKBJSOIWQif22%2B689opUA0YPPO9%2BLsqbRd2tyJ4y55ctJ2kmVSXFKWInOJQhBwDrzkCcc9XSDbyXiX3DBPBrO5aiSQC9AZATdynz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83eaa9170e234599-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    GET
    http://yxeepsek.net/-36721OBNX/2pRLi?rndad=1502943035-1704111041
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-36721OBNX/2pRLi?rndad=1502943035-1704111041 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Mon, 01 Jan 2024 12:10:41 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=c14sfct433jqkhk5sbai3vfmb2; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xOSzaQhPO3%2FsTYSnFVsY1BTVvVtIblvX612r2qgnWBeJwjrm1bZ%2Ba1IYv8qXqFGpzYH7O5PuvqRf%2BsPAz14PPIAYeas5DLO61uGo8c9Bq4Tk5QF1qDwNeeYp4RhLHUg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83eaa918cf4f23b2-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=c14sfct433jqkhk5sbai3vfmb2
    Response
    HTTP/1.1 200 OK
    Date: Mon, 01 Jan 2024 12:10:41 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f6oongtIonyEChLpRzxyHBNInxzJdzuyo0pe4r14U84SKMloKFXCNiKBOhBiip3e0arloPz%2FuqnOKan%2BdYRVoHBxh1XT0qQJSRZGqCXmhpXXKvYitaCIboIV1jGTs2E%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83eaa91a491c23b2-LHR
    alt-svc: h2=":443"; ma=60
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    489 B
     2.1kB
     7
    5

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    886 B
     3.2kB
     9
    8

    HTTP Request

    GET http://yxeepsek.net/-36721OBNX/2pRLi?rndad=1502943035-1704111041

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    118 B
     91 B
     2
    1

    DNS Request

    zipansion.com

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    yxeepsek.net
    dns
    1ffc2c26ab31b537d7899a9f031db5b6.exe
    58 B
     90 B
     1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe
    Filesize

    78KB

    MD5

    36d89eb3f02e597a1e6fa1beeb07e165

    SHA1

    62ee86ed4180e2a596c2ce8c8b0e3706da15a4f8

    SHA256

    adb38789cf6a9bdae5a41c5de875a8083bceacc277e5f4d4e405789d381c5376

    SHA512

    197cbb9d8fa460cc242e39244bcc401999e67f1eabe37918dc38dfddc00fcad2073751a1740b9503d42534d54930a4bde180ca00b214b5f98e7283fd26ffb063

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1ffc2c26ab31b537d7899a9f031db5b6.exe
    Filesize

    99KB

    MD5

    6f2f2a18c56e9562a0735f1855063795

    SHA1

    b6067037614fc1aa83a80515374cd444efb5f995

    SHA256

    9f75e918abd30517949eb55044f007cf0ba868a3b57f0f5a7cdffa2090171da0

    SHA512

    8f0a32e27683d77e479f2dee1b9159ad8eb497a8e5192c172b9d7c3e252d6c2491f8b9fe9a0f4485e73c68ef88a8065b24dd1ab8c8348f5f07f89682026320ec

    Download Submit

  • memory/2236-0-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2236-1-0x0000000000130000-0x0000000000242000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2236-2-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2236-15-0x00000000046B0000-0x0000000004B1A000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2236-14-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3040-17-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/3040-19-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3040-18-0x0000000001A60000-0x0000000001B72000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3040-26-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.