Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 16:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
657ada177102ffcf86ad704ea5f547d5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
657ada177102ffcf86ad704ea5f547d5.exe
Resource
win10v2004-20231215-en
General
-
Target
657ada177102ffcf86ad704ea5f547d5.exe
-
Size
385KB
-
MD5
657ada177102ffcf86ad704ea5f547d5
-
SHA1
f2444180a7e1470fb05537a253e4ab15e436906f
-
SHA256
498911c40fe687114f24686e099db7be218099c540e5dbe0f17f64eff04509b9
-
SHA512
e1ab3eab6eb1f79f2d5e8c51da762e0554b2df984689d515ef2f85b226a477404e62613c14ebddb438530ad8f458ee9a5f14977a3c857d223b09a5d51b27da7d
-
SSDEEP
6144:o/GZ+V7dQGl5Rc9d+9LXsodQdIeg2MZd+RHJnG4xKjBnVLp21FWU3oGv0C8L2+B:fUdbl5OrSsyqIgMcR7xoVwWOPvAbB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2940 657ada177102ffcf86ad704ea5f547d5.exe -
Executes dropped EXE 1 IoCs
pid Process 2940 657ada177102ffcf86ad704ea5f547d5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2752 657ada177102ffcf86ad704ea5f547d5.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2752 657ada177102ffcf86ad704ea5f547d5.exe 2940 657ada177102ffcf86ad704ea5f547d5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2940 2752 657ada177102ffcf86ad704ea5f547d5.exe 89 PID 2752 wrote to memory of 2940 2752 657ada177102ffcf86ad704ea5f547d5.exe 89 PID 2752 wrote to memory of 2940 2752 657ada177102ffcf86ad704ea5f547d5.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe"C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exeC:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2940
-
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request179.178.17.96.in-addr.arpaIN PTRResponse179.178.17.96.in-addr.arpaIN PTRa96-17-178-179deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.68.143pastebin.comIN A172.67.34.170pastebin.comIN A104.20.67.143
-
Remote address:104.20.68.143:443RequestGET /raw/ubFNTPjt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-frame-options: DENY
x-content-type-options: nosniff
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 419
Server: cloudflare
CF-RAY: 8478298e98da412e-LHR
-
Remote address:8.8.8.8:53Request143.68.20.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.53.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request204.178.17.96.in-addr.arpaIN PTRResponse204.178.17.96.in-addr.arpaIN PTRa96-17-178-204deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.17.178.52.in-addr.arpaIN PTRResponse
-
1.3kB 6.0kB 14 8
HTTP Request
GET https://pastebin.com/raw/ubFNTPjtHTTP Response
404
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
179.178.17.96.in-addr.arpa
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
104.20.68.143172.67.34.170104.20.67.143
-
72 B 134 B 1 1
DNS Request
143.68.20.104.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
17.53.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
204.178.17.96.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
233.17.178.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5dc8b4d14fe6cd88ea90f699cd2d317a4
SHA1ccfb99843583b9d9bf6b1ce39ee5a5788388249e
SHA25644a81fa5a71b0d32f79c0a19ce3487bea814d8ffd3a5feec3a54a37ecb07d12b
SHA51237a1a4db4b9d2fa7f53b807f22ce3ee164c9e5b751c8fdf173971d247922b8bea07ecc4d31122c9b989fe2755bfcf122268fee86de2b743b6733ae3de88cb563