Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

77a883b974...5d.exe

windows7-x64

7

77a883b974...5d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2024, 14:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77a883b974e7025c7737b512c1c96b5d.exe

  • Size

    1000KB

  • MD5

    77a883b974e7025c7737b512c1c96b5d

  • SHA1

    8936c128d632b35f4f604ed11f9039da01d2cbb6

  • SHA256

    59a066c642007593a1965cefe67952c5574e6177c891c64bce706ae6269a4bce

  • SHA512

    73590622a499374c3eee355c1b6687f0fce94e9bb88fda97f64042d1feafa09beee661c6fb98f7996747968152866759c948f727464a88b571f99d1f65c68bdc

  • SSDEEP

    12288:E/uCdmWxpjq2wHdBl/eRvIFLJ9VfObosECaBwQ2tb5JLrnylUPqt0gHDS7eyod:9kBwroRSLJ2on1B+5vMiqt0gj2ed

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
    "C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
      C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:3536

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.KQbQr18KnR.com
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    8.8.8.8:53
    Request
    www.KQbQr18KnR.com
    IN A
    Response
  • flag-us
    DNS
    w.google.com
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
    Response
    w.google.com
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    216.58.201.110
  • flag-gb
    GET
    http://w.google.com/
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    216.58.201.110:80
    Request
    GET / HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: w.google.com
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=UTF-8
    Referrer-Policy: no-referrer
    Content-Length: 1561
    Date: Fri, 26 Jan 2024 14:56:24 GMT
  • flag-us
    DNS
    pastebin.com
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    104.20.67.143
    pastebin.com
    IN A
    172.67.34.170
  • flag-us
    GET
    http://pastebin.com/raw/ubFNTPjt
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    104.20.68.143:80
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 26 Jan 2024 14:56:24 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 26 Jan 2024 15:56:24 GMT
    Location: https://pastebin.com/raw/ubFNTPjt
    Server: cloudflare
    CF-RAY: 84b99a372dbd889b-LHR
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    77a883b974e7025c7737b512c1c96b5d.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 26 Jan 2024 14:56:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 1658
    Server: cloudflare
    CF-RAY: 84b99a388b3076cf-LHR
  • flag-us
    DNS
    209.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.178.17.96.in-addr.arpa
    IN PTR
    Response
    209.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-209deploystaticakamaitechnologiescom
  • flag-us
    DNS
    143.68.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.68.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    177.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    177.178.17.96.in-addr.arpa
    IN PTR
    Response
    177.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-177deploystaticakamaitechnologiescom
  • flag-us
    DNS
    175.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    175.178.17.96.in-addr.arpa
    IN PTR
    Response
    175.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-175deploystaticakamaitechnologiescom
  • 216.58.201.110:80
    http://w.google.com/
    http
    77a883b974e7025c7737b512c1c96b5d.exe
    462 B
     1.9kB
     5
    4

    HTTP Request

    GET http://w.google.com/

    HTTP Response

    404
  • 104.20.68.143:80
    http://pastebin.com/raw/ubFNTPjt
    http
    77a883b974e7025c7737b512c1c96b5d.exe
    474 B
     424 B
     5
    3

    HTTP Request

    GET http://pastebin.com/raw/ubFNTPjt

    HTTP Response

    301
  • 104.20.68.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    77a883b974e7025c7737b512c1c96b5d.exe
    901 B
     4.6kB
     8
    8

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    www.KQbQr18KnR.com
    dns
    77a883b974e7025c7737b512c1c96b5d.exe
    64 B
     137 B
     1
    1

    DNS Request

    www.KQbQr18KnR.com

  • 8.8.8.8:53
    w.google.com
    dns
    77a883b974e7025c7737b512c1c96b5d.exe
    58 B
     95 B
     1
    1

    DNS Request

    w.google.com

    DNS Response

    216.58.201.110

  • 8.8.8.8:53
    pastebin.com
    dns
    77a883b974e7025c7737b512c1c96b5d.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    104.20.67.143
    172.67.34.170

  • 8.8.8.8:53
    209.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    209.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    143.68.20.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    143.68.20.104.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    177.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    177.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    175.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    175.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\77a883b974e7025c7737b512c1c96b5d.exe
    Filesize

    1000KB

    MD5

    9794bafe6556ee87432d6477a13c4cef

    SHA1

    ae412267571e366f5c2576ee72793a8839b4e86a

    SHA256

    455c19702d1731b60d6f64557057a41588c4423e06394c8d8e26ae32ddc848d5

    SHA512

    c1bd1b21308ac1a51d7b493b7d70802e86a19da4cd098c32dda4e33a42bc8852f5a008fa6ecc553cbbad9115264403aa3a11cc5549db05b26e90c9bad60a2ded

    Download Submit

  • memory/2416-14-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2416-16-0x0000000001630000-0x00000000016B3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2416-20-0x0000000004F80000-0x0000000004FFE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2416-21-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2416-27-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4352-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4352-1-0x0000000001510000-0x0000000001593000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4352-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4352-11-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.