Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

142a2d3dea...f9.exe

windows7-x64

7

142a2d3dea...f9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 09:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    142a2d3dea2882c789d495d510e8aff9.exe

  • Size

    385KB

  • MD5

    142a2d3dea2882c789d495d510e8aff9

  • SHA1

    5dbeeddcb8000690097115dc432696a0c6ddaba8

  • SHA256

    c4cbe2085eb5c538971dda9a2b789b904120dd128def616b40179599bb90d663

  • SHA512

    cbbbca91ca88eb96045ea2fa9387615de7544cdf32f0bd28f9af25d5453f012f6e9f1dfc98e176b7d2c5ebd28a968236547fbe3bde3c476bc966f90497b8b439

  • SSDEEP

    6144:EbSJtTwaqtBY2ueUeli9W7EJWjrCIQmxWatnAJR4AHYlBNpOrXMtC+nB:EbSJmS2Cz93Wrz5xtWXHmBqgB

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
    "C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
      C:\Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:3068

Network

  • flag-us
    DNS
    pastebin.com
    142a2d3dea2882c789d495d510e8aff9.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.67.143
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
  • flag-us
    DNS
    pastebin.com
    142a2d3dea2882c789d495d510e8aff9.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    142a2d3dea2882c789d495d510e8aff9.exe
    Remote address:
    104.20.67.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 31 Dec 2023 09:48:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: EXPIRED
    Server: cloudflare
    CF-RAY: 83e19c052aeb770e-LHR
  • 104.20.67.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    142a2d3dea2882c789d495d510e8aff9.exe
    939 B
     4.6kB
     10
    10

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 8.8.8.8:53
    pastebin.com
    dns
    142a2d3dea2882c789d495d510e8aff9.exe
    116 B
     106 B
     2
    1

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Response

    104.20.67.143
    104.20.68.143
    172.67.34.170

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab148C.tmp
    Filesize

    31KB

    MD5

    8ccdf20c482e9ca646ac3e16e592cf7a

    SHA1

    0c89e1600962a79f05667ca661ed77f20bef5854

    SHA256

    f0fb403904cd36346c326a0889121c3a0ee02854582566c67c6906338c637eca

    SHA512

    7ec6aaabaae158eb068c0548bc1e50aed25dc4f0b0d2bbb0937d49e4825156acf0a475289dc124b81aa82b17d4ccd17c03540c37654f11d79b56f3deb3de015c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar149F.tmp
    Filesize

    12KB

    MD5

    4f61616febcf222f628e04ed19b23463

    SHA1

    38d2851efcb79c1d52ebcb3fbc0e2ac2aa4cadb6

    SHA256

    1120666b3d8a178a6896b7162e3b7e532f081486d43f50690061b72b5428bae8

    SHA512

    cd3631432999e82f2d7c2f81e52af96d65c7eb0c3b385a2d0c913d355cd1535c149eab38ba1e52aeaa3d2d8406f3624da274b8e67ccfef0b12ea23bdb851d0b1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\142a2d3dea2882c789d495d510e8aff9.exe
    Filesize

    13KB

    MD5

    286cbdf635cb554ceb6053e6e17dd5f8

    SHA1

    fa8cc86a0a441381d7046dff6de784925c583d51

    SHA256

    9d7d770b43600dd6c42fe6b3d0221d4e173912efad19c137d08bdbb6a636d6e1

    SHA512

    5cf0e983174b02d8b3f9b62420c34f10278126bbaab02c370d0e8ec2e631dd4266e8bc7664cec0bd15e1792d98a88dd28233359b2a9d7eda67db47578fd0f6a3

    Download Submit

  • memory/3028-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3028-15-0x00000000002D0000-0x0000000000336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3028-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3028-13-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3028-2-0x0000000000190000-0x00000000001F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3068-23-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3068-28-0x0000000000240000-0x000000000029F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3068-18-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3068-20-0x0000000000190000-0x00000000001F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3068-83-0x0000000005550000-0x000000000558C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3068-82-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3068-77-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.