Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 01:07 UTC

General

  • Target

    bd42f0b2aee960d31fe15f51a2643a88.exe

  • Size

    5.1MB

  • MD5

    bd42f0b2aee960d31fe15f51a2643a88

  • SHA1

    3729756c54031689d24c41c1497e05846566b252

  • SHA256

    8ce2739993c6e4e6630640b747d4ed819da9708d8ca2d3d232945e1482764304

  • SHA512

    5252a46e1c780016b9b464e5bef727b9f6f9638da79cc4a84686010fc6406bdf85b1de0bc6d62b3bf34308b49be1e0b697098a81a4e477e9a13f7f95f9d33285

  • SSDEEP

    49152:bhVHQT/Yd5WSHN8lxnTVy3yXBLHdez+7rxdbm2pQW9Cay3zgkUNCgdutXXRg6FZz:FVqkNKnzBLHTxeR3znSchG+3

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe
    "C:\Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe
      C:\Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:2528

Network

  • flag-us
    DNS
    cutit.org
    bd42f0b2aee960d31fe15f51a2643a88.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    64.91.240.248
  • flag-us
    DNS
    ww7.cutit.org
    bd42f0b2aee960d31fe15f51a2643a88.exe
    Remote address:
    8.8.8.8:53
    Request
    ww7.cutit.org
    IN A
    Response
    ww7.cutit.org
    IN CNAME
    78626.bodis.com
    78626.bodis.com
    IN A
    199.59.243.225
  • flag-us
    GET
    http://ww7.cutit.org/oxgBR?usid=25&utid=5859220521
    bd42f0b2aee960d31fe15f51a2643a88.exe
    Remote address:
    199.59.243.225:80
    Request
    GET /oxgBR?usid=25&utid=5859220521 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: ww7.cutit.org
    Response
    HTTP/1.1 200 OK
    date: Sun, 10 Mar 2024 01:07:16 GMT
    content-type: text/html; charset=utf-8
    content-length: 1126
    x-request-id: 7ac12148-0092-4d4c-b1dc-4bb2af0455ee
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JvUmH57P8FmJrNSG4gOkDqlEhjqvfer3x67HlXV1Y/U76bxFp8D/NEJLP0LsJx/zCFld9iRTsR2X/EY8cvJUFQ==
    set-cookie: parking_session=7ac12148-0092-4d4c-b1dc-4bb2af0455ee; expires=Sun, 10 Mar 2024 01:22:16 GMT; path=/
  • 64.91.240.248:443
    cutit.org
    tls
    bd42f0b2aee960d31fe15f51a2643a88.exe
    1.3kB
    3.4kB
    12
    9
  • 199.59.243.225:80
    http://ww7.cutit.org/oxgBR?usid=25&utid=5859220521
    http
    bd42f0b2aee960d31fe15f51a2643a88.exe
    813 B
    2.6kB
    13
    6

    HTTP Request

    GET http://ww7.cutit.org/oxgBR?usid=25&utid=5859220521

    HTTP Response

    200
  • 8.8.8.8:53
    cutit.org
    dns
    bd42f0b2aee960d31fe15f51a2643a88.exe
    55 B
    71 B
    1
    1

    DNS Request

    cutit.org

    DNS Response

    64.91.240.248

  • 8.8.8.8:53
    ww7.cutit.org
    dns
    bd42f0b2aee960d31fe15f51a2643a88.exe
    59 B
    104 B
    1
    1

    DNS Request

    ww7.cutit.org

    DNS Response

    199.59.243.225

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe

    Filesize

    1.5MB

    MD5

    38ecfc9f5fa511da00ae2738159542c7

    SHA1

    32a7dfba0e8c88fd3f8b261273ff92033af05122

    SHA256

    368a603352291121fcbf414a6baf5c0cb067b1c4889b0828a441ea6ffec2f6f1

    SHA512

    edd677e3e69b0dfff05d40d4e73aef0c7156e9edd100d7b3bfa9299cd50375c9702670641773d16ef6acbec542c4bd5e9886bd753946b630020e33b93ab2245e

  • \Users\Admin\AppData\Local\Temp\bd42f0b2aee960d31fe15f51a2643a88.exe

    Filesize

    1.9MB

    MD5

    e11149a06bf093fe006690131416d7c5

    SHA1

    6d3a707745ea505d10bf52eae903d4a38fda8054

    SHA256

    169b619b7f53165d79fcf8037abe27658a380ece453b07ae06b6fc8a310df767

    SHA512

    1f2da2b12202bb63879454f2e60f3881fb06e7daede5f3261d8f3feefb8d8634d625709b9f67b1e2b51a0d3e5868161acb519f63de57207b691bd83c3e5f9a8f

  • memory/1548-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

  • memory/1548-0-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

  • memory/1548-3-0x0000000001FA0000-0x00000000021FA000-memory.dmp

    Filesize

    2.4MB

  • memory/1548-14-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

  • memory/1548-16-0x0000000004060000-0x00000000049FE000-memory.dmp

    Filesize

    9.6MB

  • memory/1548-43-0x0000000004060000-0x00000000049FE000-memory.dmp

    Filesize

    9.6MB

  • memory/2528-17-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

  • memory/2528-19-0x0000000002260000-0x00000000024BA000-memory.dmp

    Filesize

    2.4MB

  • memory/2528-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.