Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 02:31 UTC

General

  • Target

    71249c7234586da21d10b349be6b4044.exe

  • Size

    327KB

  • MD5

    71249c7234586da21d10b349be6b4044

  • SHA1

    3fe0ce136436c8afa5a6fcdecbaf03d79ebb5701

  • SHA256

    e38d3f5f725b87b072aa1a7cd772bafde24afed3a47b05be735a554a406da734

  • SHA512

    fd47e8bf7ea234a2ef84865afa1b8609ce12d5fa60e4395e3bd43967d10ddd49b2f1971004936660506a840ace20308536ed52d4733429a5ea8f15fe0b8577f2

  • SSDEEP

    6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:p2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71249c7234586da21d10b349be6b4044.exe
    "C:\Users\Admin\AppData\Local\Temp\71249c7234586da21d10b349be6b4044.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2112

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    nwoccs.zapto.org
    dwmsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    dwmsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nwoccs.zapto.org
    dwmsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    dwmsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    dwmsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    232.168.11.51.in-addr.arpa

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    dwmsys.exe
    62 B
    122 B
    1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    dwmsys.exe
    62 B
    122 B
    1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    dwmsys.exe
    62 B
    122 B
    1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    dwmsys.exe
    62 B
    122 B
    1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    dwmsys.exe
    62 B
    122 B
    1
    1

    DNS Request

    nwoccs.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

    Filesize

    327KB

    MD5

    9ff6989d5fb15c0b5d9517a328b871e8

    SHA1

    304b05f5f75e4f2a7c67741becfa1199c315b7be

    SHA256

    697167aa46b4b5cb0e73e7aacbe22d78df1b0417869adac1611094e61b3483d1

    SHA512

    e07e42531fc82b1caaba5cd21a8f7653db284059cd9ff8c4523616d774abea681838225a73fb2040e6abe201b9db820fdfe67b70ef28ec60f63d5933a8e1edaf

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.