Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 16:39 UTC

General

  • Target

    b92afc8171c8cdc19c7820918c158aa5.exe

  • Size

    110KB

  • MD5

    b92afc8171c8cdc19c7820918c158aa5

  • SHA1

    368503d281c302c21781c848ddfb5b2c70b27f81

  • SHA256

    221e164123aa6502404587f485e867c8aff134cbea456e29ed49c6f58fbab396

  • SHA512

    7f954e21ba73896c7d904e8a65f922144feea739820624f8abe1f11e529d47f956c49fccd6cef6f528c63da594c2e2e5c0106f01a98cf8ce3fa0e064010ab303

  • SSDEEP

    3072:I9xKpyyf826+u06kM4C0wQNeoBPqvtokhAlgqMdoHbqamV1/GjFIy:PByd0w2ewqiMAOqOoH2jY

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b92afc8171c8cdc19c7820918c158aa5.exe
    "C:\Users\Admin\AppData\Local\Temp\b92afc8171c8cdc19c7820918c158aa5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ynz..bat" > nul 2> nul
      2⤵
      • Deletes itself
      PID:2944

Network

  • flag-us
    DNS
    vnexpress.net
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    vnexpress.net
    IN A
    Response
    vnexpress.net
    IN A
    111.65.250.2
  • flag-us
    DNS
    netlog.com
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    netlog.com
    IN A
    Response
    netlog.com
    IN A
    3.93.249.127
    netlog.com
    IN A
    3.213.72.21
    netlog.com
    IN A
    34.230.144.100
  • flag-us
    DNS
    netlog.com
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    netlog.com
    IN A
  • flag-us
    DNS
    netlog.com
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    netlog.com
    IN A
  • flag-us
    DNS
    netlog.com
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    netlog.com
    IN A
  • flag-us
    DNS
    homeway.com.cn
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    homeway.com.cn
    IN A
    Response
    homeway.com.cn
    IN A
    82.157.151.50
  • flag-us
    DNS
    instantloadflash.in
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    instantloadflash.in
    IN A
    Response
  • flag-us
    DNS
    adobejam.in
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    adobejam.in
    IN A
    Response
  • flag-us
    DNS
    adobejam.in
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    adobejam.in
    IN A
  • flag-us
    DNS
    clashjamwallop.in
    b92afc8171c8cdc19c7820918c158aa5.exe
    Remote address:
    8.8.8.8:53
    Request
    clashjamwallop.in
    IN A
    Response
No results found
  • 8.8.8.8:53
    vnexpress.net
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    59 B
    75 B
    1
    1

    DNS Request

    vnexpress.net

    DNS Response

    111.65.250.2

  • 8.8.8.8:53
    netlog.com
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    224 B
    104 B
    4
    1

    DNS Request

    netlog.com

    DNS Request

    netlog.com

    DNS Request

    netlog.com

    DNS Request

    netlog.com

    DNS Response

    3.93.249.127
    3.213.72.21
    34.230.144.100

  • 8.8.8.8:53
    homeway.com.cn
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    60 B
    76 B
    1
    1

    DNS Request

    homeway.com.cn

    DNS Response

    82.157.151.50

  • 8.8.8.8:53
    instantloadflash.in
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    65 B
    118 B
    1
    1

    DNS Request

    instantloadflash.in

  • 8.8.8.8:53
    adobejam.in
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    114 B
    110 B
    2
    1

    DNS Request

    adobejam.in

    DNS Request

    adobejam.in

  • 8.8.8.8:53
    clashjamwallop.in
    dns
    b92afc8171c8cdc19c7820918c158aa5.exe
    63 B
    116 B
    1
    1

    DNS Request

    clashjamwallop.in

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Ynz..bat

    Filesize

    210B

    MD5

    82320a4e408bcafdecc4631b434ce85d

    SHA1

    da8862ded6e2dceea49c3eb36904cb785d61339d

    SHA256

    cbef9c81d9f1ce6a873f68c232c264e3e2158addf05f79acd6256c79c6fdcb0c

    SHA512

    43f2b94d01c8a34648bc9a0476bfa3650103f741c06330a04f5428590fcc0d672be5240171f15f50dcaab8f0333af26224fb9674c41cc69fc9e16c5bbe07068e

  • memory/2892-2-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2892-1-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2892-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2892-3-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2892-5-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.