Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 03:59 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0db271959c6498e6ac93f42f70edd7fd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0db271959c6498e6ac93f42f70edd7fd.exe
Resource
win10v2004-20231215-en
General
-
Target
0db271959c6498e6ac93f42f70edd7fd.exe
-
Size
78KB
-
MD5
0db271959c6498e6ac93f42f70edd7fd
-
SHA1
0ee7c3e155b3aa1c8a2755524a074e5e9d27c460
-
SHA256
27e1ad7e5df8b547ab69367b629661af0cd4b8386aa4d7d4cf05816d8b3e68ba
-
SHA512
9d99d2823c2290d5c45da426b81dc551ae8fbdcd1e36ef30d255b0dedd9d4e2469e83ce904e07b496250e47b13e0c2f4ab1298dd6d1411df4d640ad5fa7821ac
-
SSDEEP
1536:RR8jgVoGs8pQjci3Qi6mDfq+TKsySfizW7KsdN36M/w6YZ8:YjasFgi3pySay7KS/w58
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 0db271959c6498e6ac93f42f70edd7fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 0db271959c6498e6ac93f42f70edd7fd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91 PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91 PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wpf..bat" > nul 2> nul2⤵PID:2912
-
Network
-
Remote address:8.8.8.8:53Requestgoogle.atIN AResponsegoogle.atIN A142.250.180.3
-
Remote address:8.8.8.8:53Requestnarod.ruIN AResponsenarod.ruIN A195.216.243.246
-
Remote address:8.8.8.8:53Requestfeedbridgenet.inIN AResponse
-
Remote address:8.8.8.8:53Requestwebdatum.inIN AResponse
-
Remote address:8.8.8.8:53Request5.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.71.91.104.in-addr.arpaIN PTRResponse140.71.91.104.in-addr.arpaIN PTRa104-91-71-140deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request140.71.91.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request58.99.105.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.99.105.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 485755
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B97B4DB9D08A4F009A4E2F3D1643AC8F Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
date: Sat, 30 Dec 2023 20:37:31 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 489903
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2EC5AD71066D441D98A258E84E590FD4 Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
date: Sat, 30 Dec 2023 20:37:31 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 291493
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EF3206CEC3D94B3192C3D9DE302F4D6C Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
date: Sat, 30 Dec 2023 20:37:31 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request81.179.17.96.in-addr.arpaIN PTRResponse81.179.17.96.in-addr.arpaIN PTRa96-17-179-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.179.89.13.in-addr.arpaIN PTRResponse
-
1.4kB 8.2kB 17 13
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4tls, http296.3kB 2.7MB 1991 1979
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4HTTP Response
200 -
1.5kB 8.2kB 17 12
-
1.4kB 8.2kB 17 13
-
1.4kB 8.3kB 16 13
-
55 B 71 B 1 1
DNS Request
google.at
DNS Response
142.250.180.3
-
54 B 70 B 1 1
DNS Request
narod.ru
DNS Response
195.216.243.246
-
62 B 115 B 1 1
DNS Request
feedbridgenet.in
-
57 B 110 B 1 1
DNS Request
webdatum.in
-
71 B 157 B 1 1
DNS Request
5.181.190.20.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
59.128.231.4.in-addr.arpa
DNS Request
59.128.231.4.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
144 B 137 B 2 1
DNS Request
140.71.91.104.in-addr.arpa
DNS Request
140.71.91.104.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
58.99.105.20.in-addr.arpa
DNS Request
58.99.105.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
81.179.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
9.179.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5d6ee1140aa8be30cf602b3a7c04db323
SHA1363d1e05d003ca59c3f5170f7fddc87deece2ec0
SHA2569e7f52d44671255051309e4021d40e4b690e4d48d82e2a729adbb5ebde77f726
SHA512f2f780d1066fce6fa1e4b336de1a3943a575e67d2ea894a66d85a2c7a1d7232cb017bd6ec9ed7eebe8fc3479cd9d237f2ac7f2646055bfaa7461cfd7b454b2a9