Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

989e845511...81.exe

windows7-x64

7

989e845511...81.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 05:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    989e845511599a05762c239c350f2781.exe

  • Size

    50KB

  • MD5

    989e845511599a05762c239c350f2781

  • SHA1

    d7accf372f8700017d98a65794aa36281c473162

  • SHA256

    064b545ab43b11732a115f22202f89cebc40451a2144d1a5ba0df045d52b8b84

  • SHA512

    48dee154c5fc11dce5a5c22ba5c4a30373cae9a6527c985703fd28d709ff9f1cf6413034a368d6b27a00dd4b13bdd2752d35a255545eac9373ae78682d91b1dc

  • SSDEEP

    768:PcGu+aZmwmhgLfoatZ0X1lfx51gSW12t7EyKznRfTIA13tOB0CH:P9Omw7g2GffxbvMznRfTIedOys

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious use of UnmapMainImage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\989e845511599a05762c239c350f2781.exe
    "C:\Users\Admin\AppData\Local\Temp\989e845511599a05762c239c350f2781.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious use of UnmapMainImage
    PID:2444

Network

  • flag-us
    DNS
    adobe.com
    989e845511599a05762c239c350f2781.exe
    Remote address:
    8.8.8.8:53
    Request
    adobe.com
    IN A
    Response
    adobe.com
    IN A
    88.221.135.202
    adobe.com
    IN A
    88.221.135.203
  • flag-gb
    POST
    http://adobe.com/geo/productid.php
    989e845511599a05762c239c350f2781.exe
    Remote address:
    88.221.135.202:80
    Request
    POST /geo/productid.php HTTP/1.1
    Host: adobe.com
    User-Agent: Opera/10.80 Pesto/2.2.30
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 21
    Response
    HTTP/1.1 403 Forbidden
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 280
    Expires: Tue, 13 Feb 2024 05:43:24 GMT
    Date: Tue, 13 Feb 2024 05:43:24 GMT
    Connection: close
  • flag-us
    DNS
    hnzshqhw.co.cc
    989e845511599a05762c239c350f2781.exe
    Remote address:
    8.8.8.8:53
    Request
    hnzshqhw.co.cc
    IN A
    Response
    hnzshqhw.co.cc
    IN A
    175.126.123.219
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:43:25 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:43:27 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: hnzshqhw.co.cc
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:43:28 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:43:28 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:43:29 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: hnzshqhw.co.cc
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:27 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: hnzshqhw.co.cc
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:28 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Connection: Keep-Alive
    Host: hnzshqhw.co.cc
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:28 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: hnzshqhw.co.cc
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:29 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: hnzshqhw.co.cc
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:29 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=96
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-kr
    GET
    https://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:443
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: hnzshqhw.co.cc
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 13 Feb 2024 05:43:30 GMT
    Server: Apache
    X-Powered-By: PHP/5.3.29
    Content-Length: 47
    Keep-Alive: timeout=5, max=95
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-us
    DNS
    www.microsoft.com
    989e845511599a05762c239c350f2781.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    92.123.241.137
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:45:30 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:45:31 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • flag-kr
    GET
    http://hnzshqhw.co.cc/showthread.php?t=212872
    989e845511599a05762c239c350f2781.exe
    Remote address:
    175.126.123.219:80
    Request
    GET /showthread.php?t=212872 HTTP/1.1
    User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
    Host: hnzshqhw.co.cc
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 13 Feb 2024 05:45:32 GMT
    Server: Apache
    Location: https://hnzshqhw.co.cc/showthread.php?t=212872
    Content-Length: 254
    Content-Type: text/html; charset=iso-8859-1
  • 88.221.135.202:80
    http://adobe.com/geo/productid.php
    http
    989e845511599a05762c239c350f2781.exe
    411 B
     700 B
     5
    5

    HTTP Request

    POST http://adobe.com/geo/productid.php

    HTTP Response

    403
  • 175.126.123.219:80
    http://hnzshqhw.co.cc/showthread.php?t=212872
    http
    989e845511599a05762c239c350f2781.exe
    1.7kB
     2.7kB
     19
    8

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301
  • 175.126.123.219:443
    https://hnzshqhw.co.cc/showthread.php?t=212872
    tls, http
    989e845511599a05762c239c350f2781.exe
    2.8kB
     7.9kB
     19
    15

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404

    HTTP Request

    GET https://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    404
  • 175.126.123.219:80
    http://hnzshqhw.co.cc/showthread.php?t=212872
    http
    989e845511599a05762c239c350f2781.exe
    819 B
     1.6kB
     9
    6

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301

    HTTP Request

    GET http://hnzshqhw.co.cc/showthread.php?t=212872

    HTTP Response

    301
  • 175.126.123.219:443
    hnzshqhw.co.cc
    tls
    989e845511599a05762c239c350f2781.exe
    2.3kB
     2.5kB
     13
    11
  • 8.8.8.8:53
    adobe.com
    dns
    989e845511599a05762c239c350f2781.exe
    55 B
     87 B
     1
    1

    DNS Request

    adobe.com

    DNS Response

    88.221.135.202
    88.221.135.203

  • 8.8.8.8:53
    hnzshqhw.co.cc
    dns
    989e845511599a05762c239c350f2781.exe
    60 B
     76 B
     1
    1

    DNS Request

    hnzshqhw.co.cc

    DNS Response

    175.126.123.219

  • 8.8.8.8:53
    www.microsoft.com
    dns
    989e845511599a05762c239c350f2781.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    92.123.241.137

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar949.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\plugs\mmc118.exe
    Filesize

    47B

    MD5

    2079de86c2f563b129b99bacca34ac23

    SHA1

    9cd346283354dbae0118488be07b73e6a9292a1a

    SHA256

    57e5a4c140bcc8738d1daa3f6cee05aac052218d286f69e4f4303fbc8af19ea7

    SHA512

    946e89de4a2df78bc3952bb79843c95b137e0494ffba3e0b956aa1073beaf759d14fed9ea033adc2cee1aa8cc272b5a8ea6e23ae74caaf196ff73b555466706a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\plugs\mmc70.exe
    Filesize

    47B

    MD5

    8cebbdcf906d7e7b80bc34904e9bd904

    SHA1

    9aec1585ae48f2744c74447391b450fc2c972a0f

    SHA256

    68227354e364f4637416a15ab0d7e98a83deda10e3ce98dd134f0cea55b74573

    SHA512

    aa7cf43a3c80c8df522e95a763c07be226fb5b53727bee8f4076c0d7a5f7000c08832ca226838ea43554cdf12145db4a9fb67cb3176d19d3f275bdfb20d11b22

    Download Submit

  • memory/2444-0-0x0000000000240000-0x0000000000250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2444-1-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2444-2-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2444-43-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2444-112-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.