Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

9b0994eba2...d3.exe

windows7-x64

7

9b0994eba2...d3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2024, 06:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b0994eba2a00e1f2433fec1c31126d3.exe

  • Size

    689KB

  • MD5

    9b0994eba2a00e1f2433fec1c31126d3

  • SHA1

    8a2c9e1fb49cb178a32f07bc2af86123ce521b6d

  • SHA256

    72c29d9c210edf63cf98a767dee021dc7f006ece99121bbd1962742e17aa892f

  • SHA512

    6bc8eefa3e19ef123a9c9a03f72fa8dd6fe8e44bbbe844ace619f0c00ad0d96366e03a2189b78e98ecb4f524582aba6179d8f931f83b32a9d469827143af0008

  • SSDEEP

    6144:oJ82asJfnlAJwT71w+DtmVlTWw8oY4JHfTcE6sTNrCMHJeTBh+:oOWJ8wT7SoScCY4JHLcElTNm8eT

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 44 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b0994eba2a00e1f2433fec1c31126d3.exe
    "C:\Users\Admin\AppData\Local\Temp\9b0994eba2a00e1f2433fec1c31126d3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\qJXfJY\svchost.exe
      "C:\Users\Admin\AppData\Local\qJXfJY\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

  • flag-us
    DNS
    wx.go890.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    wx.go890.com
    IN A
    Response
  • flag-us
    DNS
    cnwx.58ad.cn
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    cnwx.58ad.cn
    IN A
    Response
    cnwx.58ad.cn
    IN A
    119.97.143.63
  • flag-us
    DNS
    www.58sky.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.58sky.com
    IN A
    Response
    www.58sky.com
    IN CNAME
    www.58sky.com.cdn.dnsv1.com.cn
    www.58sky.com.cdn.dnsv1.com.cn
    IN CNAME
    bvxhlur1.sched.sma.tdnsstic1.cn
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    123.139.99.35
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.78
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.63
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    61.243.13.103
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.82
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    60.220.213.207
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.50.188
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.224
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.201.158.139
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.214
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.51.51
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    116.148.161.141
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.225
  • flag-us
    DNS
    www.58sky.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.58sky.com
    IN A
    Response
    www.58sky.com
    IN CNAME
    www.58sky.com.cdn.dnsv1.com.cn
    www.58sky.com.cdn.dnsv1.com.cn
    IN CNAME
    bvxhlur1.sched.sma.tdnsstic1.cn
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    123.139.99.35
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.78
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.63
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    61.243.13.103
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.82
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    60.220.213.207
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.50.188
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.224
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.201.158.139
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.214
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.51.51
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    116.148.161.141
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.225
  • flag-us
    DNS
    www.58sky.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.58sky.com
    IN A
    Response
    www.58sky.com
    IN CNAME
    www.58sky.com.cdn.dnsv1.com.cn
    www.58sky.com.cdn.dnsv1.com.cn
    IN CNAME
    bvxhlur1.sched.sma.tdnsstic1.cn
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.82
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.51.51
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.214
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    60.220.213.207
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.78
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    61.243.13.103
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.63
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.194.50.188
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.224
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    42.177.83.225
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    116.148.161.141
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    123.139.99.35
    bvxhlur1.sched.sma.tdnsstic1.cn
    IN A
    113.201.158.139
  • flag-us
    DNS
    wdx.go890.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    wdx.go890.com
    IN A
    Response
  • flag-us
    DNS
    www.go890.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.go890.com
    IN A
    Response
  • 119.97.143.63:80
    cnwx.58ad.cn
    svchost.exe
    152 B
     3
  • 123.139.99.35:80
    www.58sky.com
    svchost.exe
    152 B
     3
  • 123.139.99.35:80
    www.58sky.com
    svchost.exe
    152 B
     3
  • 123.139.99.35:80
    www.58sky.com
    svchost.exe
    152 B
     3
  • 8.8.8.8:53
    wx.go890.com
    dns
    svchost.exe
    58 B
     132 B
     1
    1

    DNS Request

    wx.go890.com

  • 8.8.8.8:53
    cnwx.58ad.cn
    dns
    svchost.exe
    58 B
     74 B
     1
    1

    DNS Request

    cnwx.58ad.cn

    DNS Response

    119.97.143.63

  • 8.8.8.8:53
    www.58sky.com
    dns
    svchost.exe
    118 B
     708 B
     2
    2

    DNS Request

    www.58sky.com

    DNS Request

    www.58sky.com

    DNS Response

    123.139.99.35
    42.177.83.78
    42.177.83.63
    61.243.13.103
    42.177.83.82
    60.220.213.207
    113.194.50.188
    42.177.83.224
    113.201.158.139
    42.177.83.214
    113.194.51.51
    116.148.161.141
    42.177.83.225

    DNS Response

    123.139.99.35
    42.177.83.78
    42.177.83.63
    61.243.13.103
    42.177.83.82
    60.220.213.207
    113.194.50.188
    42.177.83.224
    113.201.158.139
    42.177.83.214
    113.194.51.51
    116.148.161.141
    42.177.83.225

  • 8.8.8.8:53
    www.58sky.com
    dns
    svchost.exe
    59 B
     354 B
     1
    1

    DNS Request

    www.58sky.com

    DNS Response

    42.177.83.82
    113.194.51.51
    42.177.83.214
    60.220.213.207
    42.177.83.78
    61.243.13.103
    42.177.83.63
    113.194.50.188
    42.177.83.224
    42.177.83.225
    116.148.161.141
    123.139.99.35
    113.201.158.139

  • 8.8.8.8:53
    wdx.go890.com
    dns
    svchost.exe
    59 B
     133 B
     1
    1

    DNS Request

    wdx.go890.com

  • 8.8.8.8:53
    www.go890.com
    dns
    svchost.exe
    59 B
     133 B
     1
    1

    DNS Request

    www.go890.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\qJXfJY\svchost.exe
    Filesize

    696KB

    MD5

    b3b948c1b14775b4e182c11924c1a9ba

    SHA1

    4ea1bca40fa6afc8d6de751d72d5e7c1c81d145e

    SHA256

    f36254f1269ac1c1e228fe0df7039975924795523e15426b3a0a173b3ecf173b

    SHA512

    89eeddd81f9e3979b4d95981885d39c8329b7a616197709b694f198bac30097c284223c4a6aea9b85d12995a6cb2c4bfd0bc33466ae7ec75f7c61a8853d24753

    Download Submit

  • memory/1712-0-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1712-7-0x00000000004A0000-0x0000000000500000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1712-10-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1712-14-0x00000000004A0000-0x0000000000500000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2896-15-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2896-520-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.