Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

46a6d59953...66.exe

windows7-x64

7

46a6d59953...66.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    168s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2024, 16:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46a6d599535c3b51644e102f65929c66.exe

  • Size

    141KB

  • MD5

    46a6d599535c3b51644e102f65929c66

  • SHA1

    2115013bfc093dbfa96e802f246bdb262503c381

  • SHA256

    cfe2896dbf34e40c57b1379c2606f37811b614b2df5dd8123e9efe56de7e9efb

  • SHA512

    3856dc9786e84f9c0453b2640e7d2d09127d947a1057fed833e7e1bc25e08658e53cae8eea497531abab8f570a5eff7b7e937a219f588e73f44de2dd2b74eed0

  • SSDEEP

    3072:Aa9mSvkAZ2M5MPACog7DMM/qX0Ktj2FbjBGhMYctCgggggDpKiuxEjFq5ukj:AaENi2MGYg2BctCgggggDpK/r

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46a6d599535c3b51644e102f65929c66.exe
    "C:\Users\Admin\AppData\Local\Temp\46a6d599535c3b51644e102f65929c66.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      PID:1412

Network

  • flag-us
    DNS
    2.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    150.1.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    150.1.37.23.in-addr.arpa
    IN PTR
    Response
    150.1.37.23.in-addr.arpa
    IN PTR
    a23-37-1-150deploystaticakamaitechnologiescom
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.2.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.2.37.23.in-addr.arpa
    IN PTR
    Response
    11.2.37.23.in-addr.arpa
    IN PTR
    a23-37-2-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.2.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.2.37.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    204.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    204.178.17.96.in-addr.arpa
    IN PTR
    Response
    204.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-204deploystaticakamaitechnologiescom
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    193.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.178.17.96.in-addr.arpa
    IN PTR
    Response
    193.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-193deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    16.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    16.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 553003
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 233E80C18EA7487CBF597750DF8C7E1E Ref B: LON04EDGE1018 Ref C: 2024-01-06T16:13:53Z
    date: Sat, 06 Jan 2024 16:13:53 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 541009
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C2DE6AC8A6904B42B2BE0C68EDB2365C Ref B: LON04EDGE1018 Ref C: 2024-01-06T16:13:53Z
    date: Sat, 06 Jan 2024 16:13:53 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    DNS
    pjz.no-ip.info
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    pjz.no-ip.info
    IN A
    Response
  • flag-us
    DNS
    pjz.no-ip.info
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    pjz.no-ip.info
    IN A
    Response
  • flag-us
    DNS
    pjz.no-ip.info
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    pjz.no-ip.info
    IN A
    Response
  • flag-us
    DNS
    pjz.no-ip.info
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    pjz.no-ip.info
    IN A
    Response
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.4kB
     9.1kB
     15
    11
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    16.5kB
     436.2kB
     322
    323

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4
  • 8.8.8.8:53
    2.181.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    213 B
     157 B
     3
    1

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    150.1.37.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    150.1.37.23.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    59.128.231.4.in-addr.arpa

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    103.169.127.40.in-addr.arpa

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    11.2.37.23.in-addr.arpa
    dns
    138 B
     131 B
     2
    1

    DNS Request

    11.2.37.23.in-addr.arpa

    DNS Request

    11.2.37.23.in-addr.arpa

  • 8.8.8.8:53
    204.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    204.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    193.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    193.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    16.173.189.20.in-addr.arpa
    dns
    144 B
     316 B
     2
    2

    DNS Request

    16.173.189.20.in-addr.arpa

    DNS Request

    16.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    146.78.124.51.in-addr.arpa

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    124 B
     173 B
     2
    1

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    pjz.no-ip.info
    dns
    explorer.exe
    120 B
     240 B
     2
    2

    DNS Request

    pjz.no-ip.info

    DNS Request

    pjz.no-ip.info

  • 8.8.8.8:53
    pjz.no-ip.info
    dns
    explorer.exe
    120 B
     240 B
     2
    2

    DNS Request

    pjz.no-ip.info

    DNS Request

    pjz.no-ip.info

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe
    Filesize

    141KB

    MD5

    46a6d599535c3b51644e102f65929c66

    SHA1

    2115013bfc093dbfa96e802f246bdb262503c381

    SHA256

    cfe2896dbf34e40c57b1379c2606f37811b614b2df5dd8123e9efe56de7e9efb

    SHA512

    3856dc9786e84f9c0453b2640e7d2d09127d947a1057fed833e7e1bc25e08658e53cae8eea497531abab8f570a5eff7b7e937a219f588e73f44de2dd2b74eed0

    Download Submit

  • memory/1412-45-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1412-46-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1412-47-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3800-0-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3800-1-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3800-4-0x0000000011490000-0x00000000114C0000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.