Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
18/01/2024, 05:15 UTC
General
-
Target
648f55eb3b697a2e2cda6d458e65ec38.exe
-
Size
2.9MB
-
MD5
648f55eb3b697a2e2cda6d458e65ec38
-
SHA1
57190c8424cf63ed73fa63d3b08ca2f70e1554ba
-
SHA256
cc0aa58e9e6f25f0d0a3f7a4f6ec237f7d627dd20244f6b379908ac8ad85c74c
-
SHA512
614254feb802e64ba8acb9bfd35033d8ff7c404f75ddfd2cc62f82b9788e450e9e756b3adfe13527fa7de9dc9c0bdc73a9e5694910e012327842c912a89cc0d5
-
SSDEEP
49152:yfOn4yCLqm2MDmCO2E5NwVfXalP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:z4pLql45W5yxQgg3gnl/IVUs1jePs
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\648f55eb3b697a2e2cda6d458e65ec38.exe"C:\Users\Admin\AppData\Local\Temp\648f55eb3b697a2e2cda6d458e65ec38.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\648f55eb3b697a2e2cda6d458e65ec38.exeC:\Users\Admin\AppData\Local\Temp\648f55eb3b697a2e2cda6d458e65ec38.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
-
Network
-
DNSzipansion.comRemote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A172.67.144.180zipansion.comIN A104.21.73.114 -
GEThttp://zipansion.com/2pRLiRemote address:172.67.144.180:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Date: Thu, 18 Jan 2024 05:15:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=uefkho2u6jkqo88aod91gv0fhk; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721LUPM/2pRLi?rndad=1502943035-1705554916
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wHJAB%2Bi40AfgpfIEBn6gviNk5XMdX8oGT70QlaNCKBlAIdzkTjk5d7tkoQEPyVDp5hjdh%2BOfGl3ayKvC1GKJ0r52RikWgX%2FOsNXbXH%2BGErEfg8FjmXvzeDLkLhkCJ4nT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84745bf11a5b638b-LHR
alt-svc: h2=":443"; ma=60
-
DNSyxeepsek.netRemote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-36721LUPM/2pRLi?rndad=1502943035-1705554916Remote address:172.67.194.101:80RequestGET /-36721LUPM/2pRLi?rndad=1502943035-1705554916 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Date: Thu, 18 Jan 2024 05:15:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=p6abrlaimav9tn0v83pfqqtf9t; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Avqarv0oDimO2h97Z%2Bm3xdpdRyV8IXHp4YPeWJKv5uoU1TNh4JCnMeB4AXQOXEsBSEGaAFZf0%2Boj4iKOnuINf0Z17GlTaSqmtqHg1pqBOWJddgxz%2B3kJpX0rE%2BQU4pE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84745bf3387b23b7-LHR
alt-svc: h2=":443"; ma=60
-
GEThttp://yxeepsek.net/suspended?a=3&u=20186239Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=p6abrlaimav9tn0v83pfqqtf9t
ResponseHTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 05:15:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cbLgVLt5GYUKIqBU95aKcqaEJs8GHEX8376wGacpHc%2F2StwH%2B6xUcOKpnHWu%2BBD7sgzDlcRkanT4ShPEOa7A1LjkJviKWd9MF%2B7G8PU1Gm%2BH5hxJE4%2BijvJoQ6agPAU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84745bf4dabc23b7-LHR
alt-svc: h2=":443"; ma=60
-
172.67.144.180:80http://zipansion.com/2pRLihttp
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http
HTTP Request
GET http://yxeepsek.net/-36721LUPM/2pRLi?rndad=1502943035-1705554916HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
8.8.8.8:53zipansion.comdns
DNS Request
zipansion.com
DNS Response
172.67.144.180104.21.73.114
-
8.8.8.8:53yxeepsek.netdns
DNS Request
yxeepsek.net
DNS Response
172.67.194.101104.21.20.204
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
776KB
MD557f4f1d22e66ebf153124b7c7a3336b7
SHA1eb96d75bc682360e92118067a99757c4d92d98bc
SHA25649647c57d3067f0b504d1b7d37b0d209586efb0b38ea1284d597196a78071491
SHA512567ffcc3f5f39da72e156f36247ffc4919e88ea3e031620e28af7f116d511b11aae73c526f46ffa6f4ae61239559d2f50d0428352b4a8b42bb36041afc51bb98
-
Filesize
886KB
MD5eb3147413028468be2de11ded84edacb
SHA11aaa991e80d8029e5247ba6dd2cf6c35af45ebe4
SHA256b238e428b7acd3480f3fe1b52a69ee371b8a9ddb93b8acf0fab00f7a23c74339
SHA512cd0d6c27fab33dd9d022ef8d30e031afbb24cb53e9da3f99943bef826bfdb2a8214d84d8a22712f39e91bd2c61a4e53c4cca103d9b4acce12498008a708b9c5d
-
Filesize
4.9MB
-
Filesize
2.2MB
-
Filesize
1.2MB
-
Filesize
2.2MB
-
Filesize
1.2MB
-
Filesize
4.9MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.1MB
-
Filesize
4.9MB