Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 10:12 UTC

General

  • Target

    a19c810cba7ec2b9e8baec67d51c966f.exe

  • Size

    1.5MB

  • MD5

    a19c810cba7ec2b9e8baec67d51c966f

  • SHA1

    b56908e8767f724cfcf38da7c1ed34629b14e0aa

  • SHA256

    d034d9e96963ae874b6a50629e9f5b28046bb2d52648f2f0e8cb35d1a279f86b

  • SHA512

    78a68d0b342c25b427471a7ef52a99a674d28d95fa5bcada8a3a0b3f4c73cbd511ffff4ee46f81914df48e7d76ccb8795473a1ff30aad6864fa4e92766f978e1

  • SSDEEP

    24576:EQncqg30A7vJC8RRGy30dmRp47wp0MxJMIQCQ5tPB0d2vehxCiyW:EsctnJC4RGy30d4p0kKCQtPB0damq

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe
    "C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe
      C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2936

Network

  • flag-us
    DNS
    zipansion.com
    a19c810cba7ec2b9e8baec67d51c966f.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    172.67.144.180
    zipansion.com
    IN A
    104.21.73.114
  • flag-us
    GET
    http://zipansion.com/2pRLi
    a19c810cba7ec2b9e8baec67d51c966f.exe
    Remote address:
    172.67.144.180:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 24 Feb 2024 10:12:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=4rgma0vslbpn9f05totr0172ko; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KPULJXMRxtMyIFKg%2B51TlPrqkn1izgXz4EtW4rWUIUt%2Fe9kfLGhmWHEzKnGNP%2BYj%2FGTEphy5LfitJVFuHqU8Y%2FlM3FRtevRzVLUiUp55sPYZ2qfXhRWuBtSUawvR3m2c"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 85a6eecd0a1f6518-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    a19c810cba7ec2b9e8baec67d51c966f.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    GET
    http://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574
    a19c810cba7ec2b9e8baec67d51c966f.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-36721YJAU/2pRLi?rndad=1502943035-1708769574 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Sat, 24 Feb 2024 10:12:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=9ue5rtb9o69uhf1bnhg263pent; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XhS4CR5e8ATPoENKcYWeTdFhcU2GJ8hQorkaUbJgscwmHgizLTn1RHAkX3qBqCIIPy5irv%2FVkJoKKY3A9xNpdyLnQrLl1mebRubuIOkLTRyaIn%2FUvsTAdhUvdQdOqLo%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 85a6eecf49b94142-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    a19c810cba7ec2b9e8baec67d51c966f.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=9ue5rtb9o69uhf1bnhg263pent
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Feb 2024 10:12:54 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y1Jq5EKpokuyaOtLdsHrVAbi50WYWBkJA5eJk161gTHZKBr5%2FX6zdJm5uG68ZP0oXprwlmmXoer%2BkV5eTsHAC6U88Sx%2FRmKWmdUon7dH8okDz6VSoCb%2FXME8IkJSZ2k%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 85a6eed0dbcc4142-LHR
    alt-svc: h2=":443"; ma=60
  • 172.67.144.180:80
    http://zipansion.com/2pRLi
    http
    a19c810cba7ec2b9e8baec67d51c966f.exe
    437 B
    1.1kB
    6
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    a19c810cba7ec2b9e8baec67d51c966f.exe
    886 B
    3.2kB
    9
    9

    HTTP Request

    GET http://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    a19c810cba7ec2b9e8baec67d51c966f.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    172.67.144.180
    104.21.73.114

  • 8.8.8.8:53
    yxeepsek.net
    dns
    a19c810cba7ec2b9e8baec67d51c966f.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe

    Filesize

    1.5MB

    MD5

    f7a17cc595d89b4e0b9779db4b88d388

    SHA1

    3e8dbaa31e0d906c8dd8e6289e47f6571329d4d6

    SHA256

    259e121420e36922b0e333134f149ca767785a72648babd8e9845bda8087beb0

    SHA512

    de2ef5d7172b9c66028826b772fd289841e5eb873050e4ba319133723dfeaf630f818445650d4b31aeb2905c1025bd60260610b6e2a9e2a3d7fa3eef2fbea992

  • \Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe

    Filesize

    64KB

    MD5

    a80b03f03d830d47c656e1f2660ad2d5

    SHA1

    ed3ede4d7a8fba671e3770b64acde3137cd6b7bc

    SHA256

    901e6939eee8a08f724d5f412657ae8c13804f4266ec4100998dcc1876651cbb

    SHA512

    1fe985f52a1ee1d9161f7da23f9a40171496e3e77eaad9594ec9c6ff17b9c5c94a10d36fc900cd3606d67fd5e4757fc61cd9dd2eb5c40adfee097c8848da194d

  • memory/1864-2-0x00000000002B0000-0x00000000003E3000-memory.dmp

    Filesize

    1.2MB

  • memory/1864-0-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/1864-14-0x0000000003640000-0x0000000003B2F000-memory.dmp

    Filesize

    4.9MB

  • memory/1864-18-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/1864-1-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2936-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

    Filesize

    1.2MB

  • memory/2936-21-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2936-16-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2936-24-0x0000000000400000-0x000000000061D000-memory.dmp

    Filesize

    2.1MB

  • memory/2936-25-0x0000000003410000-0x000000000363A000-memory.dmp

    Filesize

    2.2MB

  • memory/2936-32-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.