Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3ClientSetup.exe
windows7-x64
7ClientSetup.exe
windows10-2004-x64
7ServerSetup.exe
windows7-x64
7ServerSetup.exe
windows10-2004-x64
7Conn.asp
windows7-x64
3Conn.asp
windows10-2004-x64
3action.asp
windows7-x64
3action.asp
windows10-2004-x64
3bottom.asp
windows7-x64
3bottom.asp
windows10-2004-x64
3checkSys.asp
windows7-x64
3checkSys.asp
windows10-2004-x64
3chk.asp
windows7-x64
3chk.asp
windows10-2004-x64
3cxctl.asp
windows7-x64
3cxctl.asp
windows10-2004-x64
3default.asp
windows7-x64
3default.asp
windows10-2004-x64
3dt.asp
windows7-x64
3dt.asp
windows10-2004-x64
3getdata.asp
windows7-x64
3getdata.asp
windows10-2004-x64
3gfhcx.asp
windows7-x64
3gfhcx.asp
windows10-2004-x64
3groupset.asp
windows7-x64
3groupset.asp
windows10-2004-x64
3gscreencx.asp
windows7-x64
3gscreencx.asp
windows10-2004-x64
3gsysset.asp
windows7-x64
3gsysset.asp
windows10-2004-x64
3gurlset.asp
windows7-x64
3gurlset.asp
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 01:45 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ClientSetup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ClientSetup.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
ServerSetup.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
ServerSetup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Conn.asp
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Conn.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
action.asp
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
action.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
bottom.asp
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
bottom.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
checkSys.asp
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
checkSys.asp
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
chk.asp
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
chk.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
cxctl.asp
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
cxctl.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
default.asp
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
default.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
dt.asp
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
dt.asp
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
getdata.asp
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
getdata.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
gfhcx.asp
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
gfhcx.asp
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
groupset.asp
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
groupset.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
gscreencx.asp
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
gscreencx.asp
Resource
win10v2004-20231222-en
Behavioral task
behavioral29
Sample
gsysset.asp
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
gsysset.asp
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
gurlset.asp
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
gurlset.asp
Resource
win10v2004-20231222-en
General
-
Target
ClientSetup.exe
-
Size
3.6MB
-
MD5
3439fab56ae86d13e751a7df5715b339
-
SHA1
01c4d24db6fbb4a6fbe15f1f61e3fb95a519daad
-
SHA256
6b6fee52bd65eedfb3552f948e5aa360e0582707755537861e62ac01e31aac4f
-
SHA512
b9ec4c64edf406cabcd98540cecb4bc0efad4ddfd37ac193f33a50b66fd8985e7252571b6c9a1382b335240cfadf9cebb8f6ac72269ed979c1786fbcb5f3436c
-
SSDEEP
49152:hxBb3umRcMuNvYMyeTIzRG2Ucc4qwmepiAYVvCfZRXy/kPZk42Hzu8+aheU25Yo8:hz3WN/+VqwbpjcSisFGwnVy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2540 setup.exe -
resource yara_rule behavioral2/memory/2540-12-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/files/0x0007000000023202-11.dat upx behavioral2/memory/2540-16-0x0000000000400000-0x0000000000471000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2540 5068 ClientSetup.exe 21 PID 5068 wrote to memory of 2540 5068 ClientSetup.exe 21 PID 5068 wrote to memory of 2540 5068 ClientSetup.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe"C:\Users\Admin\AppData\Local\Temp\ClientSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\ae12097\setup.exeC:\Users\Admin\AppData\Local\Temp\ae12097\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"2⤵
- Executes dropped EXE
PID:2540
-
Network
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2E0DC86C0A8067BA3D28DC6F0B3B669C; domain=.bing.com; expires=Tue, 04-Feb-2025 00:11:36 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3C6F48AA86140B499CF523C47AC8487 Ref B: LON04EDGE0913 Ref C: 2024-01-11T00:11:36Z
date: Thu, 11 Jan 2024 00:11:35 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E0DC86C0A8067BA3D28DC6F0B3B669C
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0ZU1ccO2fO1k84dcPKLm836nwc6v0KWBgFXoW1ak2aQ; domain=.bing.com; expires=Tue, 04-Feb-2025 00:11:37 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F9AAB7B9AE014EF49ECF7E0822D56396 Ref B: LON04EDGE0913 Ref C: 2024-01-11T00:11:37Z
date: Thu, 11 Jan 2024 00:11:36 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E0DC86C0A8067BA3D28DC6F0B3B669C; MSPTC=0ZU1ccO2fO1k84dcPKLm836nwc6v0KWBgFXoW1ak2aQ
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB971B179BF14310812DDC6B13600FE3 Ref B: LON04EDGE0913 Ref C: 2024-01-11T00:11:37Z
date: Thu, 11 Jan 2024 00:11:36 GMT
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request100.5.17.2.in-addr.arpaIN PTRResponse100.5.17.2.in-addr.arpaIN PTRa2-17-5-100deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTRResponse174.178.17.96.in-addr.arpaIN PTRa96-17-178-174deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request174.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request50.134.221.88.in-addr.arpaIN PTRResponse50.134.221.88.in-addr.arpaIN PTRa88-221-134-50deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request32.134.221.88.in-addr.arpaIN PTRResponse32.134.221.88.in-addr.arpaIN PTRa88-221-134-32deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request32.134.221.88.in-addr.arpaIN PTRResponse32.134.221.88.in-addr.arpaIN PTRa88-221-134-32deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.65.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.65.42.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request88.65.42.20.in-addr.arpaIN PTR
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=tls, http22.4kB 10.4kB 25 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4faa49a5979048ca9e5fb24a490db9c0&localId=w:F83E3474-2937-F57B-08FA-577E7DA14C95&deviceId=6896190588109571&anid=HTTP Response
204 -
-
-
-
-
-
832 B 649 B 7 5
-
832 B 649 B 7 5
-
832 B 649 B 7 5
-
832 B 649 B 7 5
-
18.5kB 503.7kB 364 365
-
-
-
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.181.190.20.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
56.126.166.20.in-addr.arpa
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
100.5.17.2.in-addr.arpa
-
216 B 158 B 3 1
DNS Request
119.110.54.20.in-addr.arpa
DNS Request
119.110.54.20.in-addr.arpa
DNS Request
119.110.54.20.in-addr.arpa
-
144 B 146 B 2 1
DNS Request
15.164.165.52.in-addr.arpa
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
288 B 137 B 4 1
DNS Request
174.178.17.96.in-addr.arpa
DNS Request
174.178.17.96.in-addr.arpa
DNS Request
174.178.17.96.in-addr.arpa
DNS Request
174.178.17.96.in-addr.arpa
-
360 B 137 B 5 1
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
50.134.221.88.in-addr.arpa
-
144 B 316 B 2 2
DNS Request
13.227.111.52.in-addr.arpa
DNS Request
13.227.111.52.in-addr.arpa
-
-
-
-
-
144 B 274 B 2 2
DNS Request
32.134.221.88.in-addr.arpa
DNS Request
32.134.221.88.in-addr.arpa
-
210 B 156 B 3 1
DNS Request
88.65.42.20.in-addr.arpa
DNS Request
88.65.42.20.in-addr.arpa
DNS Request
88.65.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD527f3a31ac59d75dc1948eb8078ad8b12
SHA11192000d9facaf1acf4ed81495f830ff4daff6a2
SHA256eeb9c78faa5eb391aea33d2f155a689256b8b4162ca989375604b2ad5815a490
SHA512bc3d1984c7393e941f53e748e7683426ce2a158c3ab774b4fe667a7c7d4bd35ed18f77d5b082a874f0827e0b0ef177e8ed06ea86d9f3c0acddb3ddec44590b74
-
Filesize
149KB
MD5808e84852804a6a0a036edf798428f6c
SHA18b8923c86da2bd7fbe15bf8ec0178fa210b06e8e
SHA2562208362d112c755d569a03e28282b30dd53ddd79fe44dcde6ecad23ea82b37b2
SHA5129df79af8b7fd4945ffc58122063ba797b39a905f1665ce4c802a30bf8c721e1498296862fee0aa9291456aae0f6bc6634a5303ac22b336f927ba290c25b4ef6a
-
Filesize
4KB
MD5b02bab409baabb2f432a9deb588edc75
SHA1485b21647b8037864e35e4fa6fb268ba50883fd5
SHA256a00b95f9e9b0e3f7fb145eabd68be1688cab81adb399c23d8810ed0fc3e0293d
SHA512484c86c43a3a2e978e150b12cbf7948492a60aee49eff581574b5845d31c58998066dac8332ffd38ce1106778405e0cbd6622c8bf06b7877fa7c0ca777a9f17c