Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

657ada1771...d5.exe

windows7-x64

7

657ada1771...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 16:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    657ada177102ffcf86ad704ea5f547d5.exe

  • Size

    385KB

  • MD5

    657ada177102ffcf86ad704ea5f547d5

  • SHA1

    f2444180a7e1470fb05537a253e4ab15e436906f

  • SHA256

    498911c40fe687114f24686e099db7be218099c540e5dbe0f17f64eff04509b9

  • SHA512

    e1ab3eab6eb1f79f2d5e8c51da762e0554b2df984689d515ef2f85b226a477404e62613c14ebddb438530ad8f458ee9a5f14977a3c857d223b09a5d51b27da7d

  • SSDEEP

    6144:o/GZ+V7dQGl5Rc9d+9LXsodQdIeg2MZd+RHJnG4xKjBnVLp21FWU3oGv0C8L2+B:fUdbl5OrSsyqIgMcR7xoVwWOPvAbB

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe
    "C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe
      C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2940

Network

  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    179.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    179.178.17.96.in-addr.arpa
    IN PTR
    Response
    179.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-179deploystaticakamaitechnologiescom
  • flag-us
    DNS
    pastebin.com
    657ada177102ffcf86ad704ea5f547d5.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    657ada177102ffcf86ad704ea5f547d5.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 18 Jan 2024 16:19:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 419
    Server: cloudflare
    CF-RAY: 8478298e98da412e-LHR
  • flag-us
    DNS
    143.68.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.68.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.53.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.53.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    204.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    204.178.17.96.in-addr.arpa
    IN PTR
    Response
    204.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-204deploystaticakamaitechnologiescom
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.17.178.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.17.178.52.in-addr.arpa
    IN PTR
    Response
  • 104.20.68.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    657ada177102ffcf86ad704ea5f547d5.exe
    1.3kB
     6.0kB
     14
    8

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    179.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    179.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    657ada177102ffcf86ad704ea5f547d5.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    172.67.34.170
    104.20.67.143

  • 8.8.8.8:53
    143.68.20.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    143.68.20.104.in-addr.arpa

  • 8.8.8.8:53
    17.53.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    17.53.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    204.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    204.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    233.17.178.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    233.17.178.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\657ada177102ffcf86ad704ea5f547d5.exe
    Filesize

    385KB

    MD5

    dc8b4d14fe6cd88ea90f699cd2d317a4

    SHA1

    ccfb99843583b9d9bf6b1ce39ee5a5788388249e

    SHA256

    44a81fa5a71b0d32f79c0a19ce3487bea814d8ffd3a5feec3a54a37ecb07d12b

    SHA512

    37a1a4db4b9d2fa7f53b807f22ce3ee164c9e5b751c8fdf173971d247922b8bea07ecc4d31122c9b989fe2755bfcf122268fee86de2b743b6733ae3de88cb563

    Download Submit

  • memory/2752-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2752-1-0x0000000001470000-0x00000000014D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2752-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2752-11-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2940-13-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2940-14-0x0000000000140000-0x00000000001A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2940-20-0x0000000004E80000-0x0000000004EDF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2940-21-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2940-30-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2940-34-0x000000000B600000-0x000000000B63C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2940-36-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.