Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

72fec4a854...64.exe

windows7-x64

7

72fec4a854...64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 22:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72fec4a8540bb7739ad1ce6a751c8a64.exe

  • Size

    12KB

  • MD5

    72fec4a8540bb7739ad1ce6a751c8a64

  • SHA1

    9f4a61a5eb8af57881d97a29fec0aaef7be3ad16

  • SHA256

    8de2ecae6974d0b59260b5c761323aa3d61864bd772a999ce5851ba163c83220

  • SHA512

    167650614aecd47104cbd6ef10013409134e4467b946c23f1053facd99e02be896665c61241390c8994ae69b40df215326b19c0e5b17ecccd881cf129b41f8bc

  • SSDEEP

    192:tb1JwjxT20IZnVWI/4PBcuEievsFlWRbsm:tbqBEZnVWI0clWFlW57

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\72fec4a8540bb7739ad1ce6a751c8a64.exe
        "C:\Users\Admin\AppData\Local\Temp\72fec4a8540bb7739ad1ce6a751c8a64.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\\1.vbs
          3⤵
          • Deletes itself
          PID:1444

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.178.17.96.in-addr.arpa
      IN PTR
      Response
      198.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-198deploystaticakamaitechnologiescom
    • flag-us
      DNS
      19.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      90.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.16.208.104.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      198.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      198.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      19.177.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      19.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      90.16.208.104.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      90.16.208.104.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.vbs
      Filesize

      322B

      MD5

      004abd6b7dbfc47eda32ef1cfb4cf06b

      SHA1

      2fa53a215454282951aab3d7af3c374aa074c3e7

      SHA256

      37034de3a5631722b713496c6a81c6bcbfb873c7493e687dbc19859d07391d83

      SHA512

      146982d70c13f6c8f46776491ee8a9267c7b387980fdd24bd27e9f36bc05a1bf2fc6188400e968f3026bd3fcad156595d532a769d8bf7a2eaf57df6c4b66a33e

      Download Submit

    • memory/4076-0-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4076-1-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4076-4-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.