Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 09:59 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02db6c6dd0119ae4dd092c95269ef0fa.exe
Resource
win7-20231215-en
13 signatures
150 seconds
General
-
Target
02db6c6dd0119ae4dd092c95269ef0fa.exe
-
Size
104KB
-
MD5
02db6c6dd0119ae4dd092c95269ef0fa
-
SHA1
0c847bd4af6ef9eb9da384374fb70117be59150d
-
SHA256
1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee
-
SHA512
b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b
-
SSDEEP
3072:lQ5faGko6CFrbJKARb0WQ9FSE1Fk8jwaaHw7Koj4rgdy:61afCF3IO0WmFR
Malware Config
Signatures
-
Program crash 2 IoCs
pid pid_target Process 3276 4876 WerFault.exe 4428 3156 WerFault.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe Token: SeDebugPrivilege 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4496 IEXPLORE.EXE 4496 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 4876 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 21 PID 1952 wrote to memory of 3576 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 101 PID 1952 wrote to memory of 3576 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 101 PID 1952 wrote to memory of 3576 1952 02db6c6dd0119ae4dd092c95269ef0fa.exe 101 PID 3576 wrote to memory of 4496 3576 iexplore.exe 100 PID 3576 wrote to memory of 4496 3576 iexplore.exe 100 PID 4496 wrote to memory of 668 4496 IEXPLORE.EXE 102 PID 4496 wrote to memory of 668 4496 IEXPLORE.EXE 102 PID 4496 wrote to memory of 668 4496 IEXPLORE.EXE 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4876
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3576
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3156
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe"C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe"2⤵PID:2916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 48761⤵PID:548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2081⤵
- Program crash
PID:3276
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:22⤵PID:668
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17416 /prefetch:22⤵PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 2041⤵
- Program crash
PID:4428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3156 -ip 31561⤵PID:1512
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"1⤵PID:4948
Network
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F253C96DE41A4B22A77128C3C35B1FD7 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6CB4078784154FBA993797BACE30FD43 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2F2EC2FA65594F23ACD28AB3315E5FBD Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.bing.comIN AResponseapi.bing.comIN CNAMEapi-bing-com.e-0001.e-msedge.netapi-bing-com.e-0001.e-msedge.netIN CNAMEe-0001.e-msedge.nete-0001.e-msedge.netIN A13.107.5.80
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=tls, http22.5kB 9.4kB 24 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204 -
8.1kB 219.5kB 129 161
-
501 B 318 B 5 4
-
165 B 1
-
52 B 52 B 1 1
-
888 B 1
-
52 B 1.3kB 1 2
-
576 B 16.8kB 12 12
-
952 B 17.7kB 15 14
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
58 B 134 B 1 1
DNS Request
api.bing.com
DNS Response
13.107.5.80
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa