Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 20:54 UTC
Behavioral task
behavioral1
Sample
689e19925254f332b99cc73ad05aae41.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
689e19925254f332b99cc73ad05aae41.exe
Resource
win10v2004-20231222-en
General
-
Target
689e19925254f332b99cc73ad05aae41.exe
-
Size
1.5MB
-
MD5
689e19925254f332b99cc73ad05aae41
-
SHA1
4b3ce4fcd3dc8494f397a329bdc1e2b11a6c8ebb
-
SHA256
e741c9948e787545a1de1268d1835813215aa69a603709b1c857e2b981379b5a
-
SHA512
73e07367d8f7b2e3367f3a22fad58c9daa3794e5f01f87d89d5f5076ae750a1ec32c0f34e2c5b45d0cbc323835d3ba62009e472a6710ace4fdab1282dbf9386f
-
SSDEEP
24576:TSHEii63fJ7VH0Sn8cDIFlBMVMKcI2Y/IKt5RuEJClrRAI5LAHMjBmkkW:2HEMffHkDZMVFaabaFAMAH5n
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2292 689e19925254f332b99cc73ad05aae41.exe -
Executes dropped EXE 1 IoCs
pid Process 2292 689e19925254f332b99cc73ad05aae41.exe -
Loads dropped DLL 1 IoCs
pid Process 2900 689e19925254f332b99cc73ad05aae41.exe -
resource yara_rule behavioral1/memory/2900-1-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000012243-13.dat upx behavioral1/memory/2900-15-0x0000000003510000-0x00000000039FF000-memory.dmp upx behavioral1/files/0x000a000000012243-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2900 689e19925254f332b99cc73ad05aae41.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2900 689e19925254f332b99cc73ad05aae41.exe 2292 689e19925254f332b99cc73ad05aae41.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2292 2900 689e19925254f332b99cc73ad05aae41.exe 28 PID 2900 wrote to memory of 2292 2900 689e19925254f332b99cc73ad05aae41.exe 28 PID 2900 wrote to memory of 2292 2900 689e19925254f332b99cc73ad05aae41.exe 28 PID 2900 wrote to memory of 2292 2900 689e19925254f332b99cc73ad05aae41.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe"C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exeC:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2292
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A172.67.144.180zipansion.comIN A104.21.73.114
-
Remote address:172.67.144.180:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=ja06q152usht5gsq2mkd4hgid4; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L%2FdO%2Bx26Z1XAH89Eq4RgwliLu7BYdpYXHq%2Bb408f4UwljHG%2FHnN0wXYZUMfbhM3ILhol3niHR%2FzXlepesusJV%2F7GrJgLXiqhCIpZ6eOWOSxq8dLCmWdKkflc1XYdMavf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8481f911caca23c9-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667689e19925254f332b99cc73ad05aae41.exeRemote address:172.67.194.101:80RequestGET /-36721RHIM/2pRLi?rndad=1502943035-1705697667 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=pj4ve78eb909pd4md99vme7r4d; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uXVZKd%2FyqQ0zKTJGCrOIkgP6haY37JuL5X2gKNVcU1nPgwnqzqrnEl0pZDMtPFBEW1%2BSAPlMmcpQsq2ab3W7tvLlFzIl4ltMvhhQG8KDDcbUU%2BCtQlAoyI6IPs71jvg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8481f913fabc4136-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=pj4ve78eb909pd4md99vme7r4d
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JAUrb8%2B5Or4sj1WefHKWhvYPTe1vZE740UMcL7MIvtxD4jWGK%2F8MDQAtV4wgVEiNnWIIiteP6a5XOR1ILBPOhg7uq0X8bG5%2FHFxhbHOw6t%2By%2Bwpw7gxkDxreY4YeMk4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8481f9158cd24136-LHR
alt-svc: h2=":443"; ma=60
-
437 B 1.1kB 6 4
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http689e19925254f332b99cc73ad05aae41.exe834 B 3.2kB 8 8
HTTP Request
GET http://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD535f95b98c58ca2e30a7f884112ef2b5d
SHA18727ba49d42fb733800e46dd20772fd502189f7b
SHA2565d070b8886bd79670dbde9ccd68c08690ca0aec45fc8a787d677b81280c518be
SHA51200bbc57f406f0c610fbad0543e12b9f6ed2af73ebac2183ee96bddf873344de68cf59a0dda832013b2b1eab6d62a280d5cef93cb4b974a418ec1260efecefcdc
-
Filesize
1.2MB
MD5b4f3708522ef6dbed542a4bf05c63851
SHA1efd5c35dbef03b8cdb944a34484600a367adcf6c
SHA2565c8c70302fa617bd73de0f2154b9bd49fb3b57e108b9617f866713314d628b49
SHA512f6d51dcc682db2e1d7824d504599f0c5146aedf066b6cb9ee14e9fd6ab1ff90659dbd122286ed3f4fb8375874adfc5e5948d40aacc094c6888addf2b9e77f3a7