Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2024, 20:54 UTC

General

  • Target

    689e19925254f332b99cc73ad05aae41.exe

  • Size

    1.5MB

  • MD5

    689e19925254f332b99cc73ad05aae41

  • SHA1

    4b3ce4fcd3dc8494f397a329bdc1e2b11a6c8ebb

  • SHA256

    e741c9948e787545a1de1268d1835813215aa69a603709b1c857e2b981379b5a

  • SHA512

    73e07367d8f7b2e3367f3a22fad58c9daa3794e5f01f87d89d5f5076ae750a1ec32c0f34e2c5b45d0cbc323835d3ba62009e472a6710ace4fdab1282dbf9386f

  • SSDEEP

    24576:TSHEii63fJ7VH0Sn8cDIFlBMVMKcI2Y/IKt5RuEJClrRAI5LAHMjBmkkW:2HEMffHkDZMVFaabaFAMAH5n

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe
    "C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe
      C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2292

Network

  • flag-us
    DNS
    zipansion.com
    689e19925254f332b99cc73ad05aae41.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    172.67.144.180
    zipansion.com
    IN A
    104.21.73.114
  • flag-us
    GET
    http://zipansion.com/2pRLi
    689e19925254f332b99cc73ad05aae41.exe
    Remote address:
    172.67.144.180:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 19 Jan 2024 20:54:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=ja06q152usht5gsq2mkd4hgid4; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L%2FdO%2Bx26Z1XAH89Eq4RgwliLu7BYdpYXHq%2Bb408f4UwljHG%2FHnN0wXYZUMfbhM3ILhol3niHR%2FzXlepesusJV%2F7GrJgLXiqhCIpZ6eOWOSxq8dLCmWdKkflc1XYdMavf"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8481f911caca23c9-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    689e19925254f332b99cc73ad05aae41.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    GET
    http://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667
    689e19925254f332b99cc73ad05aae41.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-36721RHIM/2pRLi?rndad=1502943035-1705697667 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Fri, 19 Jan 2024 20:54:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=pj4ve78eb909pd4md99vme7r4d; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uXVZKd%2FyqQ0zKTJGCrOIkgP6haY37JuL5X2gKNVcU1nPgwnqzqrnEl0pZDMtPFBEW1%2BSAPlMmcpQsq2ab3W7tvLlFzIl4ltMvhhQG8KDDcbUU%2BCtQlAoyI6IPs71jvg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8481f913fabc4136-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    689e19925254f332b99cc73ad05aae41.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=pj4ve78eb909pd4md99vme7r4d
    Response
    HTTP/1.1 200 OK
    Date: Fri, 19 Jan 2024 20:54:27 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JAUrb8%2B5Or4sj1WefHKWhvYPTe1vZE740UMcL7MIvtxD4jWGK%2F8MDQAtV4wgVEiNnWIIiteP6a5XOR1ILBPOhg7uq0X8bG5%2FHFxhbHOw6t%2By%2Bwpw7gxkDxreY4YeMk4%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8481f9158cd24136-LHR
    alt-svc: h2=":443"; ma=60
  • 172.67.144.180:80
    http://zipansion.com/2pRLi
    http
    689e19925254f332b99cc73ad05aae41.exe
    437 B
    1.1kB
    6
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    689e19925254f332b99cc73ad05aae41.exe
    834 B
    3.2kB
    8
    8

    HTTP Request

    GET http://yxeepsek.net/-36721RHIM/2pRLi?rndad=1502943035-1705697667

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    689e19925254f332b99cc73ad05aae41.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    172.67.144.180
    104.21.73.114

  • 8.8.8.8:53
    yxeepsek.net
    dns
    689e19925254f332b99cc73ad05aae41.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe

    Filesize

    649KB

    MD5

    35f95b98c58ca2e30a7f884112ef2b5d

    SHA1

    8727ba49d42fb733800e46dd20772fd502189f7b

    SHA256

    5d070b8886bd79670dbde9ccd68c08690ca0aec45fc8a787d677b81280c518be

    SHA512

    00bbc57f406f0c610fbad0543e12b9f6ed2af73ebac2183ee96bddf873344de68cf59a0dda832013b2b1eab6d62a280d5cef93cb4b974a418ec1260efecefcdc

  • \Users\Admin\AppData\Local\Temp\689e19925254f332b99cc73ad05aae41.exe

    Filesize

    1.2MB

    MD5

    b4f3708522ef6dbed542a4bf05c63851

    SHA1

    efd5c35dbef03b8cdb944a34484600a367adcf6c

    SHA256

    5c8c70302fa617bd73de0f2154b9bd49fb3b57e108b9617f866713314d628b49

    SHA512

    f6d51dcc682db2e1d7824d504599f0c5146aedf066b6cb9ee14e9fd6ab1ff90659dbd122286ed3f4fb8375874adfc5e5948d40aacc094c6888addf2b9e77f3a7

  • memory/2292-16-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2292-17-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2292-23-0x0000000000400000-0x000000000061D000-memory.dmp

    Filesize

    2.1MB

  • memory/2292-25-0x0000000003410000-0x000000000363A000-memory.dmp

    Filesize

    2.2MB

  • memory/2292-18-0x0000000000130000-0x0000000000263000-memory.dmp

    Filesize

    1.2MB

  • memory/2292-32-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2900-4-0x0000000001B20000-0x0000000001C53000-memory.dmp

    Filesize

    1.2MB

  • memory/2900-1-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2900-14-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2900-15-0x0000000003510000-0x00000000039FF000-memory.dmp

    Filesize

    4.9MB

  • memory/2900-0-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2900-31-0x0000000003510000-0x00000000039FF000-memory.dmp

    Filesize

    4.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.