Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9862c8d1ed...c7.exe

windows7-x64

8

9862c8d1ed...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 03:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9862c8d1ed05b1f41aa58ffcd621c0c7.exe

  • Size

    556KB

  • MD5

    9862c8d1ed05b1f41aa58ffcd621c0c7

  • SHA1

    b367426011a95facc927718018b7b214a40af948

  • SHA256

    d000d9b44f81d02f49b76aea429c502c770834a29d9b2794e8d109e3b572f118

  • SHA512

    5c07982b036fe7f1257d3c3a7d49556d69dd32abb04b4f6821a2156670122bf2f9a8a2234d0f48541eb358d94fecab2e91d859675de25638dd0813c90458d37f

  • SSDEEP

    6144:twkajyiWz7KXsS5sTqPBpJdGE1zk08aR7xR3p73hwV:ujyfHSmbEp18aRdD0

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9862c8d1ed05b1f41aa58ffcd621c0c7.exe
    "C:\Users\Admin\AppData\Local\Temp\9862c8d1ed05b1f41aa58ffcd621c0c7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\9862c8d1ed05b1f41aa58ffcd621c0c7.exe
      C:\Users\Admin\AppData\Local\Temp\9862c8d1ed05b1f41aa58ffcd621c0c7.exe
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2056
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:82948 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4656
      • C:\Windows\svcr.exe
        "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\9862c8d1ed05b1f41aa58ffcd621c0c7.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\svcr.exe
          C:\Windows\svcr.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:892
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • Modifies Internet Explorer settings
              PID:2064

Network

  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.bing.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
  • flag-us
    DNS
    yamyyugi.no-ip.org
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    yamyyugi.no-ip.org
    IN A
  • flag-us
    DNS
    26.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    IEXPLORE.EXE
    1.2kB
     8.1kB
     15
    14
  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    api.bing.com
    dns
    IEXPLORE.EXE
    58 B
     134 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    161.19.199.152.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    161.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    64 B
     124 B
     1
    1

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    yamyyugi.no-ip.org
    dns
    IEXPLORE.EXE
    320 B
     5

    DNS Request

    yamyyugi.no-ip.org

    DNS Request

    yamyyugi.no-ip.org

    DNS Request

    yamyyugi.no-ip.org

    DNS Request

    yamyyugi.no-ip.org

    DNS Request

    yamyyugi.no-ip.org

  • 8.8.8.8:53
    26.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    26.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    5d2e801ae3f7df50081e3bb1f01cdf68

    SHA1

    147c54d6811b5f01c11705cc424d76ea6a548fa8

    SHA256

    8faa139c1b9826ff7961dafdeba17f9c471b2b164313c0886f6e56a8222d354e

    SHA512

    576aaeb9f7125142196029c9de82829a16ae85597592f2a83bd883e7ad5b2a6a71fecf7ead45a3c750ba4f9fc7a6f8c36826425c534a681610808633c01b2495

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    a8e957188b83a6a03643b087c633e218

    SHA1

    51d20df2ba2e1225f43923b3765b0eff8b5c1992

    SHA256

    f67f181075b0f11b485ecf3e84dd0cef501d7a269e658b2d4b0bef2502a15e5c

    SHA512

    f0dc34df4002c4a906486a9584b20182235d3401a47d9f3763806d27aae99eb89ffc5582b787246ed1bdcb9e6a9b20046a889503f4bd5dde7ffe481a5d0aafcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\svcr.exe
    Filesize

    517KB

    MD5

    582d9b12b22a4cd523c8666a81cfa112

    SHA1

    53193c7261c153602b97686765fc63e2a185856a

    SHA256

    3fff95b372a26d0ce92e7004f505ac7663f007eb8f0d19fb158bca38a12b216f

    SHA512

    763ca7ee7e8185ccd2ac3c7e032e001bc1285355c90f6c5c57339e40f287416c39cac895472f668dac1a68921795c461cc45f206427badeb75dc47ccb2509ebf

    Download Submit

  • C:\Windows\svcr.exe
    Filesize

    556KB

    MD5

    9862c8d1ed05b1f41aa58ffcd621c0c7

    SHA1

    b367426011a95facc927718018b7b214a40af948

    SHA256

    d000d9b44f81d02f49b76aea429c502c770834a29d9b2794e8d109e3b572f118

    SHA512

    5c07982b036fe7f1257d3c3a7d49556d69dd32abb04b4f6821a2156670122bf2f9a8a2234d0f48541eb358d94fecab2e91d859675de25638dd0813c90458d37f

    Download Submit

  • memory/2272-2-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2272-4-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2272-17-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4052-26-0x0000000010410000-0x000000001042E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4052-33-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.