Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

82a3e324f5...fa.exe

windows7-x64

7

82a3e324f5...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 02:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82a3e324f5eaeb6961b6d1d8801d3cfa.exe

  • Size

    535KB

  • MD5

    82a3e324f5eaeb6961b6d1d8801d3cfa

  • SHA1

    5f4c5b3f2ddf0b35355cf47b2492fc2dd4598ee5

  • SHA256

    f98b79d8353242f3dc59ab4a47d41986b2a4725f2b03bdf7eccc626f5c44bdcc

  • SHA512

    6571b15929ca3f3d9cab7a7eeff49aabc4b96a6e543880cb369a655bf17751727c9820a391be8d174ca38736a27d1e102b607d4fd32b19512166d3a7ad8cc05e

  • SSDEEP

    6144:UgkAIdxqvB4AY11S2OWQ4dolrdCFiH1HU5TfqTe70uOVmb+rNesqoDUr8MZafNF3:KQ4AnMulkYVHUpD/U4sqZ83DSBP8Mw

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe" /TN Google_Trk_Updater /F
    1⤵
    • Creates scheduled task(s)
    PID:2704
  • C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3040
  • C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    "C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2300

Network

  • flag-us
    DNS
    www.l1BxFLSRzq.com
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    8.8.8.8:53
    Request
    www.l1BxFLSRzq.com
    IN A
    Response
  • flag-us
    DNS
    w.google.com
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
    Response
    w.google.com
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    172.217.18.206
  • flag-fr
    GET
    http://w.google.com/
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    172.217.18.206:80
    Request
    GET / HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: w.google.com
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=UTF-8
    Referrer-Policy: no-referrer
    Content-Length: 1561
    Date: Thu, 01 Feb 2024 02:29:20 GMT
  • flag-us
    DNS
    pastebin.com
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    104.20.67.143
    pastebin.com
    IN A
    172.67.34.170
  • flag-us
    GET
    http://pastebin.com/raw/ubFNTPjt
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    104.20.68.143:80
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 01 Feb 2024 02:29:20 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 01 Feb 2024 03:29:20 GMT
    Location: https://pastebin.com/raw/ubFNTPjt
    Server: cloudflare
    CF-RAY: 84e6c424f90423bb-LHR
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 01 Feb 2024 02:29:21 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    Cache-Control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 1161
    Server: cloudflare
    CF-RAY: 84e6c429bb51654d-LHR
  • 172.217.18.206:80
    http://w.google.com/
    http
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    462 B
     1.9kB
     5
    4

    HTTP Request

    GET http://w.google.com/

    HTTP Response

    404
  • 104.20.68.143:80
    http://pastebin.com/raw/ubFNTPjt
    http
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    480 B
     756 B
     5
    4

    HTTP Request

    GET http://pastebin.com/raw/ubFNTPjt

    HTTP Response

    301
  • 104.20.68.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    929 B
     5.0kB
     9
    8

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 8.8.8.8:53
    www.l1BxFLSRzq.com
    dns
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    64 B
     137 B
     1
    1

    DNS Request

    www.l1BxFLSRzq.com

  • 8.8.8.8:53
    w.google.com
    dns
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    58 B
     95 B
     1
    1

    DNS Request

    w.google.com

    DNS Response

    172.217.18.206

  • 8.8.8.8:53
    pastebin.com
    dns
    82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    104.20.67.143
    172.67.34.170

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\82a3e324f5eaeb6961b6d1d8801d3cfa.exe
    Filesize

    535KB

    MD5

    2a8ba55818313c8c61b351c38025226d

    SHA1

    929e9987aaa046fb273a5276d48d14df0fcd25f3

    SHA256

    d82cc45e086b71744e12adc0f9cfd7ab52235420e721e0a735997f176a7cd59c

    SHA512

    449ba64e69947569213ede7ece9b7eed8371576e293bd79356dbddd51aa112b63c7719db80ec851414ec91ebcdfe382c08bd5b78958c9805c88801e9c601a0e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab4AB8.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4AFA.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • memory/2300-15-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2300-12-0x0000000002F20000-0x0000000002FC8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2300-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2300-1-0x00000000014B0000-0x0000000001558000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2300-0-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/3040-24-0x00000000014B0000-0x0000000001516000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3040-23-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3040-20-0x00000000002B0000-0x0000000000358000-memory.dmp

    Filesize

    672KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.