Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 10:12 UTC
Behavioral task
behavioral1
Sample
a19c810cba7ec2b9e8baec67d51c966f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a19c810cba7ec2b9e8baec67d51c966f.exe
Resource
win10v2004-20240221-en
General
-
Target
a19c810cba7ec2b9e8baec67d51c966f.exe
-
Size
1.5MB
-
MD5
a19c810cba7ec2b9e8baec67d51c966f
-
SHA1
b56908e8767f724cfcf38da7c1ed34629b14e0aa
-
SHA256
d034d9e96963ae874b6a50629e9f5b28046bb2d52648f2f0e8cb35d1a279f86b
-
SHA512
78a68d0b342c25b427471a7ef52a99a674d28d95fa5bcada8a3a0b3f4c73cbd511ffff4ee46f81914df48e7d76ccb8795473a1ff30aad6864fa4e92766f978e1
-
SSDEEP
24576:EQncqg30A7vJC8RRGy30dmRp47wp0MxJMIQCQ5tPB0d2vehxCiyW:EsctnJC4RGy30d4p0kKCQtPB0damq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2936 a19c810cba7ec2b9e8baec67d51c966f.exe -
Executes dropped EXE 1 IoCs
pid Process 2936 a19c810cba7ec2b9e8baec67d51c966f.exe -
Loads dropped DLL 1 IoCs
pid Process 1864 a19c810cba7ec2b9e8baec67d51c966f.exe -
resource yara_rule behavioral1/memory/1864-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b00000001223a-10.dat upx behavioral1/memory/1864-14-0x0000000003640000-0x0000000003B2F000-memory.dmp upx behavioral1/files/0x000b00000001223a-15.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1864 a19c810cba7ec2b9e8baec67d51c966f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1864 a19c810cba7ec2b9e8baec67d51c966f.exe 2936 a19c810cba7ec2b9e8baec67d51c966f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2936 1864 a19c810cba7ec2b9e8baec67d51c966f.exe 28 PID 1864 wrote to memory of 2936 1864 a19c810cba7ec2b9e8baec67d51c966f.exe 28 PID 1864 wrote to memory of 2936 1864 a19c810cba7ec2b9e8baec67d51c966f.exe 28 PID 1864 wrote to memory of 2936 1864 a19c810cba7ec2b9e8baec67d51c966f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe"C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exeC:\Users\Admin\AppData\Local\Temp\a19c810cba7ec2b9e8baec67d51c966f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2936
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A172.67.144.180zipansion.comIN A104.21.73.114
-
Remote address:172.67.144.180:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=4rgma0vslbpn9f05totr0172ko; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KPULJXMRxtMyIFKg%2B51TlPrqkn1izgXz4EtW4rWUIUt%2Fe9kfLGhmWHEzKnGNP%2BYj%2FGTEphy5LfitJVFuHqU8Y%2FlM3FRtevRzVLUiUp55sPYZ2qfXhRWuBtSUawvR3m2c"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85a6eecd0a1f6518-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574a19c810cba7ec2b9e8baec67d51c966f.exeRemote address:172.67.194.101:80RequestGET /-36721YJAU/2pRLi?rndad=1502943035-1708769574 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=9ue5rtb9o69uhf1bnhg263pent; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XhS4CR5e8ATPoENKcYWeTdFhcU2GJ8hQorkaUbJgscwmHgizLTn1RHAkX3qBqCIIPy5irv%2FVkJoKKY3A9xNpdyLnQrLl1mebRubuIOkLTRyaIn%2FUvsTAdhUvdQdOqLo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85a6eecf49b94142-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=9ue5rtb9o69uhf1bnhg263pent
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y1Jq5EKpokuyaOtLdsHrVAbi50WYWBkJA5eJk161gTHZKBr5%2FX6zdJm5uG68ZP0oXprwlmmXoer%2BkV5eTsHAC6U88Sx%2FRmKWmdUon7dH8okDz6VSoCb%2FXME8IkJSZ2k%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 85a6eed0dbcc4142-LHR
alt-svc: h2=":443"; ma=60
-
437 B 1.1kB 6 4
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239httpa19c810cba7ec2b9e8baec67d51c966f.exe886 B 3.2kB 9 9
HTTP Request
GET http://yxeepsek.net/-36721YJAU/2pRLi?rndad=1502943035-1708769574HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5f7a17cc595d89b4e0b9779db4b88d388
SHA13e8dbaa31e0d906c8dd8e6289e47f6571329d4d6
SHA256259e121420e36922b0e333134f149ca767785a72648babd8e9845bda8087beb0
SHA512de2ef5d7172b9c66028826b772fd289841e5eb873050e4ba319133723dfeaf630f818445650d4b31aeb2905c1025bd60260610b6e2a9e2a3d7fa3eef2fbea992
-
Filesize
64KB
MD5a80b03f03d830d47c656e1f2660ad2d5
SHA1ed3ede4d7a8fba671e3770b64acde3137cd6b7bc
SHA256901e6939eee8a08f724d5f412657ae8c13804f4266ec4100998dcc1876651cbb
SHA5121fe985f52a1ee1d9161f7da23f9a40171496e3e77eaad9594ec9c6ff17b9c5c94a10d36fc900cd3606d67fd5e4757fc61cd9dd2eb5c40adfee097c8848da194d