Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

a2d90e3a97...58.exe

windows7-x64

7

a2d90e3a97...58.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 22:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2d90e3a9711aff6f1cf60cbbad7c658.exe

  • Size

    133KB

  • MD5

    a2d90e3a9711aff6f1cf60cbbad7c658

  • SHA1

    17b626ad8846308a1b4a963d5ed3a745b0ec552d

  • SHA256

    e02eb55c076b71f409b5fb26a38139ccb6b6c1cee887d53b978c41be7d87ab97

  • SHA512

    c291d3e80df48ce5b9ab7cd983686e337372feea93e7ca7bc8f2a73045840a52ee0dd820d221b326d3da7f75acfbea118c5df19fb052fbc521b819689bdf64f8

  • SSDEEP

    3072:ilrLuWCp3BD6H+fx0QKDaLsEDMXlpBiQvR95bQdz1ENIluHlPYydSzOQ:ilXuNnD9UaLna/HdQdz+NIlQPYyd5Q

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
    "C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
      C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:2324

Network

  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    cutit.org
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    64.91.240.248
  • flag-us
    GET
    https://cutit.org/oxgBR
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    Remote address:
    64.91.240.248:443
    Request
    GET /oxgBR HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: cutit.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 24 Feb 2024 22:15:32 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
    X-Powered-By: PHP/5.4.16
    Connection: close
    Cache-Control: no-cache
    Pragma: no-cache
    Location: http://ww7.cutit.org/oxgBR?usid=25&utid=5570150198
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0648201C5BD46E26176134335A346F8A; domain=.bing.com; expires=Thu, 20-Mar-2025 22:15:31 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4B65960BACC44B57925447FE013A0315 Ref B: LON04EDGE1217 Ref C: 2024-02-24T22:15:31Z
    date: Sat, 24 Feb 2024 22:15:31 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0648201C5BD46E26176134335A346F8A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=iByx3XidrzF_XAIWNf3xH95heUZ7Q1oGsnanWSOt3UQ; domain=.bing.com; expires=Thu, 20-Mar-2025 22:15:31 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E314EBD602C34CCBB880FE6E68578E09 Ref B: LON04EDGE1217 Ref C: 2024-02-24T22:15:31Z
    date: Sat, 24 Feb 2024 22:15:31 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0648201C5BD46E26176134335A346F8A; MSPTC=iByx3XidrzF_XAIWNf3xH95heUZ7Q1oGsnanWSOt3UQ
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 072C0348C0DA49EDB6D4E4A626D6F3EE Ref B: LON04EDGE1217 Ref C: 2024-02-24T22:15:31Z
    date: Sat, 24 Feb 2024 22:15:31 GMT
  • flag-us
    DNS
    ww7.cutit.org
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    Remote address:
    8.8.8.8:53
    Request
    ww7.cutit.org
    IN A
    Response
    ww7.cutit.org
    IN CNAME
    78626.bodis.com
    78626.bodis.com
    IN A
    199.59.243.225
  • flag-us
    GET
    http://ww7.cutit.org/oxgBR?usid=25&utid=5570150198
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    Remote address:
    199.59.243.225:80
    Request
    GET /oxgBR?usid=25&utid=5570150198 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: ww7.cutit.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Sat, 24 Feb 2024 22:15:31 GMT
    content-type: text/html; charset=utf-8
    content-length: 1126
    x-request-id: 0fc80eb6-dcd3-4c10-aacb-293a24f281ff
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u9mKI7oeo5CgVqBYlgRBXkAMTe00Zn+PjMv/davEeO38dfBPOP8b8nijJ48g8apy0ExytVfofKgMgrJ8zeUmxA==
    set-cookie: parking_session=0fc80eb6-dcd3-4c10-aacb-293a24f281ff; expires=Sat, 24 Feb 2024 22:30:32 GMT; path=/
  • flag-us
    DNS
    248.240.91.64.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    248.240.91.64.in-addr.arpa
    IN PTR
    Response
    248.240.91.64.in-addr.arpa
    IN PTR
    crocodile parklogiccom
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    32.169.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.169.19.2.in-addr.arpa
    IN PTR
    Response
    32.169.19.2.in-addr.arpa
    IN PTR
    a2-19-169-32deploystaticakamaitechnologiescom
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    201.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    201.179.17.96.in-addr.arpa
    IN PTR
    Response
    201.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-201deploystaticakamaitechnologiescom
  • flag-us
    DNS
    225.243.59.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.243.59.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 64.91.240.248:443
    https://cutit.org/oxgBR
    tls, http
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    1.2kB
     3.9kB
     15
    10

    HTTP Request

    GET https://cutit.org/oxgBR

    HTTP Response

    302
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=69c427cb3ee84c68b2f6cffcc71c932f&localId=w:9E2FC320-501F-D115-6095-800960314B25&deviceId=6755460777920422&anid=

    HTTP Response

    204
  • 199.59.243.225:80
    http://ww7.cutit.org/oxgBR?usid=25&utid=5570150198
    http
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    859 B
     2.6kB
     14
    6

    HTTP Request

    GET http://ww7.cutit.org/oxgBR?usid=25&utid=5570150198

    HTTP Response

    200
  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    cutit.org
    dns
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    55 B
     71 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    64.91.240.248

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    ww7.cutit.org
    dns
    a2d90e3a9711aff6f1cf60cbbad7c658.exe
    59 B
     104 B
     1
    1

    DNS Request

    ww7.cutit.org

    DNS Response

    199.59.243.225

  • 8.8.8.8:53
    248.240.91.64.in-addr.arpa
    dns
    72 B
     109 B
     1
    1

    DNS Request

    248.240.91.64.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    32.169.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    32.169.19.2.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    201.179.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    201.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    225.243.59.199.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    225.243.59.199.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    11.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a2d90e3a9711aff6f1cf60cbbad7c658.exe
    Filesize

    133KB

    MD5

    484db510cd86aedc577ae6a7c0e3e8db

    SHA1

    1b0a5db1dcc9a97cca9a8b296d6e01bdeebda7ee

    SHA256

    5ba08832f8a7566bb14bbc671314b2c2bea70c3d2e1e034d7f90db38cc776d67

    SHA512

    03a24a6e010284a402ed63b812608b6aea972f54accceae923779aacbcdbe2ad77f79bfe0faa1a267807f4cab112b705e549a76226d1873afb52dbec19dff316

    Download Submit

  • memory/2324-14-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2324-16-0x00000000000D0000-0x00000000000F1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2324-33-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3528-0-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3528-1-0x00000000001C0000-0x00000000001E1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3528-2-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3528-15-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.