Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Loader/Loader.exe

windows7-x64

10

Loader/Loader.exe

windows10-2004-x64

10

Loader/etc/luIelD.dll

windows7-x64

1

Loader/etc/luIelD.dll

windows10-2004-x64

1

Loader/php5ts.dll

windows7-x64

1

Loader/php5ts.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2024, 10:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader/php5ts.dll

  • Size

    6.5MB

  • MD5

    c9aff68f6673fae7580527e8c76805b6

  • SHA1

    bb62cc1db82cfe07a8c08a36446569dfc9c76d10

  • SHA256

    9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

  • SHA512

    c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

  • SSDEEP

    98304:NIj1qYT5UnbVloeFVRFHFq0N8WaumOQp0BAUZLtYX:KEPLPFHFZNKumOQp0VRE

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Loader\php5ts.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Loader\php5ts.dll,#1
      2⤵
        PID:4128

    Network

    • flag-us
      DNS
      17.53.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.53.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      180.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      180.178.17.96.in-addr.arpa
      IN PTR
      Response
      180.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-180deploystaticakamaitechnologiescom
    • flag-us
      DNS
      180.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      180.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=235EE93D2A3D6E953BC1FAC02B1A6F94; domain=.bing.com; expires=Wed, 29-Jan-2025 10:45:04 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6BD58E7F2E86496581923E4169DEFAE8 Ref B: LON04EDGE0711 Ref C: 2024-01-05T10:45:04Z
      date: Fri, 05 Jan 2024 10:45:03 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=235EE93D2A3D6E953BC1FAC02B1A6F94
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=LIpB3HsJFVJRKHC7Xg72CHar1MSHOUFLSCt3f-AN1zQ; domain=.bing.com; expires=Wed, 29-Jan-2025 10:45:04 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E30088E75AAB4544951C089C5055C291 Ref B: LON04EDGE0711 Ref C: 2024-01-05T10:45:04Z
      date: Fri, 05 Jan 2024 10:45:03 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=235EE93D2A3D6E953BC1FAC02B1A6F94; MSPTC=LIpB3HsJFVJRKHC7Xg72CHar1MSHOUFLSCt3f-AN1zQ
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C4F6D7725EC34E1786BD53093DD5520C Ref B: LON04EDGE0711 Ref C: 2024-01-05T10:45:04Z
      date: Fri, 05 Jan 2024 10:45:03 GMT
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      174.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      174.178.17.96.in-addr.arpa
      IN PTR
      Response
      174.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-174deploystaticakamaitechnologiescom
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
      tls, http2
      2.0kB
       9.4kB
       21
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2099fc8f366c42e8958d1a5aee4a5174&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

      HTTP Response

      204
    • 96.17.178.211:80
      46 B
       40 B
       1
      1
    • 96.17.178.211:80
      21.2kB
       466.7kB
       314
      339
    • 20.114.59.183:443
    • 20.114.59.183:443
    • 20.73.194.208:443
    • 96.16.110.114:80
    • 20.231.121.79:80
    • 20.114.59.183:443
    • 20.114.59.183:443
    • 2.17.5.100:80
    • 2.17.5.100:80
    • 20.114.59.183:443
    • 20.114.59.183:443
    • 88.221.134.18:80
    • 20.54.110.119:443
    • 96.16.110.114:80
    • 138.91.171.81:80
    • 88.221.134.18:80
    • 88.221.134.18:80
    • 4.231.128.59:443
    • 4.231.128.59:443
    • 88.221.135.217:80
    • 88.221.135.217:80
    • 4.231.128.59:443
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 88.221.135.211:80
    • 88.221.135.217:80
    • 88.221.134.18:80
    • 88.221.134.18:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 88.221.134.18:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 88.221.134.18:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 92.123.142.64:80
      92 B
       40 B
       2
      1
    • 92.123.142.64:80
      92 B
       40 B
       2
      1
    • 92.123.142.64:80
      92 B
       40 B
       2
      1
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 20.223.36.55:443
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 52.111.229.48:443
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 88.221.135.217:80
    • 88.221.135.217:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 20.103.156.88:443
    • 20.103.156.88:443
    • 20.103.156.88:443
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 20.103.156.88:443
    • 20.103.156.88:443
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
      2.4kB
       141.6kB
       52
      103
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 96.17.178.211:80
      19.0kB
       438.7kB
       289
      316
    • 96.17.178.211:80
    • 96.17.178.211:80
    • 88.221.134.18:80
    • 88.221.134.18:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 96.17.178.174:80
    • 8.8.8.8:53
      17.53.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      17.53.126.40.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      112 B
       158 B
       2
      1

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      180.178.17.96.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      180.178.17.96.in-addr.arpa

      DNS Request

      180.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      146 B
       144 B
       2
      1

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      142 B
       157 B
       2
      1

      DNS Request

      2.136.104.51.in-addr.arpa

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      142 B
       157 B
       2
      1

      DNS Request

      43.58.199.20.in-addr.arpa

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      142 B
       135 B
       2
      1

      DNS Request

      41.110.16.96.in-addr.arpa

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
      174.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      174.178.17.96.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.