Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 12:10 UTC
Static task
static1
Behavioral task
behavioral1
Sample
35b66345f1c3290ca69590beaa4ce3e8.exe
Resource
win7-20231215-en
General
-
Target
35b66345f1c3290ca69590beaa4ce3e8.exe
-
Size
843KB
-
MD5
35b66345f1c3290ca69590beaa4ce3e8
-
SHA1
880396d988c3eb62442a6018abb133929fa8bf41
-
SHA256
9b64f57a1d8bb73e88ac85d60dd976baf6eef38f41cc54a1bb1fd320b92d1fd2
-
SHA512
e50030bcc7be5e2aaed59d58ac22bb6ab30438e65d0e212a15738653dbc9b723540ebe607fe35530723502d9057e016689f5d659818ba65db4632ec7ca88b390
-
SSDEEP
12288:vKPJkaflSaldGlCTa87+ttV6sQG3r/p0iEiRYhdtWAAxfr6IwCYeaZIPxSX9Evox:iPJka9trH+tdQabptpbJPq
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 35b66345f1c3290ca69590beaa4ce3e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 35b66345f1c3290ca69590beaa4ce3e8.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3480 35b66345f1c3290ca69590beaa4ce3e8.exe 3480 35b66345f1c3290ca69590beaa4ce3e8.exe 3480 35b66345f1c3290ca69590beaa4ce3e8.exe 3480 35b66345f1c3290ca69590beaa4ce3e8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3480 35b66345f1c3290ca69590beaa4ce3e8.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A172.67.160.84freegeoip.appIN A104.21.73.97
-
Remote address:172.67.160.84:443RequestGET /xml/ HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 10 Jan 2024 14:32:28 GMT
Location: https://ipbase.com/xml/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Nkk7U0CeqDETyeQOgu1NiqMkeBb0D0aSv%2B6mBkyRWYe9dw88J67Bkjh96M%2FHNbyIzTgMdcfOubBE65US5gV5iJzEcFzLmEY99QgcybI%2B8qbyobxEMRRPGeUAH1x4%2BftE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8435494918248926-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A172.67.209.71ipbase.comIN A104.21.85.189
-
Remote address:172.67.209.71:443RequestGET /xml/ HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 49128
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; hit
Vary: Accept-Encoding
X-Nf-Request-Id: 01HKSS63MH7X14Q21Y6GG7SH5N
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q6cZD0hHbImMNlvqbe7iydBLBsK1J%2FuJhomYIcbmUbp4GPz%2B1yFqSU%2BhWKb3MP9PdA%2BXyv2NdlJ7jIbnDE5thnt%2Bv3XBdooRWjH7EZBSyqW2laiLq4CbwnsI9r7d"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84354950bddadd71-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request84.160.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request84.160.67.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.209.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2BA6D674E1766BD51DFDC276E0516A57; domain=.bing.com; expires=Mon, 03-Feb-2025 13:32:31 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8FD14E71D87943B2854EA0F69D4E73CD Ref B: LON04EDGE0708 Ref C: 2024-01-10T13:32:31Z
date: Wed, 10 Jan 2024 13:32:30 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2BA6D674E1766BD51DFDC276E0516A57
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=D95NIiLUqeLlLmWsKCom4GEK2gsZIYk1bnXNs2q3FPY; domain=.bing.com; expires=Mon, 03-Feb-2025 13:32:31 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EA0148C19ECB4C12876771BAED4CF20A Ref B: LON04EDGE0708 Ref C: 2024-01-10T13:32:31Z
date: Wed, 10 Jan 2024 13:32:30 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2BA6D674E1766BD51DFDC276E0516A57; MSPTC=D95NIiLUqeLlLmWsKCom4GEK2gsZIYk1bnXNs2q3FPY
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8898D2D1D5644E72AE3BE15EC334D865 Ref B: LON04EDGE0708 Ref C: 2024-01-10T13:32:31Z
date: Wed, 10 Jan 2024 13:32:30 GMT
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request100.5.17.2.in-addr.arpaIN PTRResponse100.5.17.2.in-addr.arpaIN PTRa2-17-5-100deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request100.5.17.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request211.178.17.96.in-addr.arpaIN PTRResponse211.178.17.96.in-addr.arpaIN PTRa96-17-178-211deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request211.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request211.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request128.212.248.87.in-addr.arpaIN PTRResponse128.212.248.87.in-addr.arpaIN PTRhttps-87-248-212-128manllnwnet
-
Remote address:8.8.8.8:53Request128.212.248.87.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
981 B 5.9kB 10 8
HTTP Request
GET https://freegeoip.app/xml/HTTP Response
301 -
1.3kB 9.6kB 16 14
HTTP Request
GET https://ipbase.com/xml/HTTP Response
404 -
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=tls, http22.3kB 10.0kB 23 20
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6f23bd574454288b51bcdde39fc001d&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=HTTP Response
204 -
52 B 1
-
1.1kB 8.2kB 14 12
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&w=1080&h=1920&c=4tls, http262.6kB 1.7MB 1219 1230
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&w=1080&h=1920&c=4 -
332 B 5
-
1.8kB 699 B 15 7
-
332 B 5
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
172.67.160.84104.21.73.97
-
168 B 158 B 3 1
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
56 B 88 B 1 1
DNS Request
ipbase.com
DNS Response
172.67.209.71104.21.85.189
-
144 B 134 B 2 1
DNS Request
84.160.67.172.in-addr.arpa
DNS Request
84.160.67.172.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
3.181.190.20.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
71.209.67.172.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
26.35.223.20.in-addr.arpa
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
142 B 145 B 2 1
DNS Request
206.23.85.13.in-addr.arpa
DNS Request
206.23.85.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
138 B 131 B 2 1
DNS Request
100.5.17.2.in-addr.arpa
DNS Request
100.5.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
216 B 137 B 3 1
DNS Request
211.178.17.96.in-addr.arpa
DNS Request
211.178.17.96.in-addr.arpa
DNS Request
211.178.17.96.in-addr.arpa
-
146 B 120 B 2 1
DNS Request
128.212.248.87.in-addr.arpa
DNS Request
128.212.248.87.in-addr.arpa
-
124 B 2
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD584dd13510b67e674ec205a539215ef9d
SHA1fd7b23af1e9882475ac9ccbcb57d0442768e93d9
SHA256029694053d19f17bccfe5a7916c9ebefafe654e4ddc726880c85e4bec4fef4b5
SHA512e2a182a2a4326482125c3116e9e8341514fbb64085fb3df2b278342213330281a24a76234f24f879887857502b41159e34bacbf682ea6dc7704bb42fceef8fd3