Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 03:59 UTC

General

  • Target

    0db271959c6498e6ac93f42f70edd7fd.exe

  • Size

    78KB

  • MD5

    0db271959c6498e6ac93f42f70edd7fd

  • SHA1

    0ee7c3e155b3aa1c8a2755524a074e5e9d27c460

  • SHA256

    27e1ad7e5df8b547ab69367b629661af0cd4b8386aa4d7d4cf05816d8b3e68ba

  • SHA512

    9d99d2823c2290d5c45da426b81dc551ae8fbdcd1e36ef30d255b0dedd9d4e2469e83ce904e07b496250e47b13e0c2f4ab1298dd6d1411df4d640ad5fa7821ac

  • SSDEEP

    1536:RR8jgVoGs8pQjci3Qi6mDfq+TKsySfizW7KsdN36M/w6YZ8:YjasFgi3pySay7KS/w58

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe
    "C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"
    1⤵
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wpf..bat" > nul 2> nul
      2⤵
        PID:2912

    Network

    • flag-us
      DNS
      google.at
      0db271959c6498e6ac93f42f70edd7fd.exe
      Remote address:
      8.8.8.8:53
      Request
      google.at
      IN A
      Response
      google.at
      IN A
      142.250.180.3
    • flag-us
      DNS
      narod.ru
      0db271959c6498e6ac93f42f70edd7fd.exe
      Remote address:
      8.8.8.8:53
      Request
      narod.ru
      IN A
      Response
      narod.ru
      IN A
      195.216.243.246
    • flag-us
      DNS
      feedbridgenet.in
      0db271959c6498e6ac93f42f70edd7fd.exe
      Remote address:
      8.8.8.8:53
      Request
      feedbridgenet.in
      IN A
      Response
    • flag-us
      DNS
      webdatum.in
      0db271959c6498e6ac93f42f70edd7fd.exe
      Remote address:
      8.8.8.8:53
      Request
      webdatum.in
      IN A
      Response
    • flag-us
      DNS
      5.181.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      5.181.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.71.91.104.in-addr.arpa
      IN PTR
      Response
      140.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-140deploystaticakamaitechnologiescom
    • flag-us
      DNS
      140.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.71.91.104.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      58.99.105.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.99.105.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.99.105.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.99.105.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 485755
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B97B4DB9D08A4F009A4E2F3D1643AC8F Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
      date: Sat, 30 Dec 2023 20:37:31 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 489903
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 2EC5AD71066D441D98A258E84E590FD4 Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
      date: Sat, 30 Dec 2023 20:37:31 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 291493
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: EF3206CEC3D94B3192C3D9DE302F4D6C Ref B: LON04EDGE0714 Ref C: 2023-12-30T20:37:32Z
      date: Sat, 30 Dec 2023 20:37:31 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      81.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.179.17.96.in-addr.arpa
      IN PTR
      Response
      81.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
      8.2kB
      17
      13
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4
      tls, http2
      96.3kB
      2.7MB
      1991
      1979

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.5kB
      8.2kB
      17
      12
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
      8.2kB
      17
      13
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
      8.3kB
      16
      13
    • 8.8.8.8:53
      google.at
      dns
      0db271959c6498e6ac93f42f70edd7fd.exe
      55 B
      71 B
      1
      1

      DNS Request

      google.at

      DNS Response

      142.250.180.3

    • 8.8.8.8:53
      narod.ru
      dns
      0db271959c6498e6ac93f42f70edd7fd.exe
      54 B
      70 B
      1
      1

      DNS Request

      narod.ru

      DNS Response

      195.216.243.246

    • 8.8.8.8:53
      feedbridgenet.in
      dns
      0db271959c6498e6ac93f42f70edd7fd.exe
      62 B
      115 B
      1
      1

      DNS Request

      feedbridgenet.in

    • 8.8.8.8:53
      webdatum.in
      dns
      0db271959c6498e6ac93f42f70edd7fd.exe
      57 B
      110 B
      1
      1

      DNS Request

      webdatum.in

    • 8.8.8.8:53
      5.181.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      5.181.190.20.in-addr.arpa

    • 8.8.8.8:53
      59.128.231.4.in-addr.arpa
      dns
      142 B
      157 B
      2
      1

      DNS Request

      59.128.231.4.in-addr.arpa

      DNS Request

      59.128.231.4.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      146 B
      144 B
      2
      1

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      140.71.91.104.in-addr.arpa
      dns
      144 B
      137 B
      2
      1

      DNS Request

      140.71.91.104.in-addr.arpa

      DNS Request

      140.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      58.99.105.20.in-addr.arpa
      dns
      142 B
      157 B
      2
      1

      DNS Request

      58.99.105.20.in-addr.arpa

      DNS Request

      58.99.105.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      81.179.17.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      81.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      9.179.89.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      9.179.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Wpf..bat

      Filesize

      210B

      MD5

      d6ee1140aa8be30cf602b3a7c04db323

      SHA1

      363d1e05d003ca59c3f5170f7fddc87deece2ec0

      SHA256

      9e7f52d44671255051309e4021d40e4b690e4d48d82e2a729adbb5ebde77f726

      SHA512

      f2f780d1066fce6fa1e4b336de1a3943a575e67d2ea894a66d85a2c7a1d7232cb017bd6ec9ed7eebe8fc3479cd9d237f2ac7f2646055bfaa7461cfd7b454b2a9

    • memory/1648-0-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1648-1-0x0000000000740000-0x0000000000741000-memory.dmp

      Filesize

      4KB

    • memory/1648-2-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1648-3-0x0000000002240000-0x0000000002241000-memory.dmp

      Filesize

      4KB

    • memory/1648-5-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.