Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7604093da0...74.exe

windows7-x64

9

7604093da0...74.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 20:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe

  • Size

    562KB

  • MD5

    01c56a088665a63d15824c83e5f0aa54

  • SHA1

    7043feaaf306a0dc30f3348fa3f2ac8b7674629b

  • SHA256

    7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574

  • SHA512

    1bff46602e084274c53fb268e64076f65273e130c24a5c9aef608d0870c428559ab984241fc13d53d276bf9a61713eadd55690d62550ac4a9ec72d5230567220

  • SSDEEP

    12288:tEQoS9qhc5DcJ5Cj5Nb2wslDYwLRbmUmwwm5rqXSSl:t2c5gJ5MpTjQbnAmcXSSl

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 17 IoCs
  • UPX dump on OEP (original entry point) 19 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe
    "C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe
      "C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe
        "C:\Users\Admin\AppData\Local\Temp\7604093da0828998bd7382321a68ab12f348b93543113e48c1b36d9304a1b574.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2572

Network

  • flag-us
    DNS
    80.53.128.133.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.53.128.133.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.249.111.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.249.111.67.in-addr.arpa
    IN PTR
    Response
    79.249.111.67.in-addr.arpa
    IN PTR
    wisedu
  • flag-us
    DNS
    79.249.111.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.249.111.67.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    138.22.211.41.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.22.211.41.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    118.102.160.55.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    118.102.160.55.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.46.210.202.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.46.210.202.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    80.151.163.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.151.163.173.in-addr.arpa
    IN PTR
    Response
    80.151.163.173.in-addr.arpa
    IN PTR
    173-163-151-80-cpennsylvania2hfccomcastbusinessnet
  • flag-us
    DNS
    51.233.191.49.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    51.233.191.49.in-addr.arpa
    IN PTR
    Response
    51.233.191.49.in-addr.arpa
    IN PTR
    n49-191-233-51mrk1qldoptusnetcomau
  • flag-us
    DNS
    21.153.67.143.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.153.67.143.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.70.130.98.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.70.130.98.in-addr.arpa
    IN PTR
    Response
    237.70.130.98.in-addr.arpa
    IN PTR
    ec2-98-130-70-237 ap-south-2compute amazonawscom
  • flag-us
    DNS
    5.3.223.68.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.3.223.68.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.251.3.230.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.251.3.230.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    90.220.34.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.220.34.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.185.102.246.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.185.102.246.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    112.91.93.79.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    112.91.93.79.in-addr.arpa
    IN PTR
    Response
    112.91.93.79.in-addr.arpa
    IN PTR
    112919379revsfrnet
  • flag-us
    DNS
    112.91.93.79.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    112.91.93.79.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    209.162.96.111.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.162.96.111.in-addr.arpa
    IN PTR
    Response
    209.162.96.111.in-addr.arpa
    IN PTR
    KD111096162209ppp-bbdionnejp
  • flag-us
    DNS
    86.155.37.230.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.155.37.230.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    164.24.168.54.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    164.24.168.54.in-addr.arpa
    IN PTR
    Response
    164.24.168.54.in-addr.arpa
    IN PTR
    ec2-54-168-24-164ap-northeast-1compute amazonawscom
  • flag-us
    DNS
    42.143.9.114.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.143.9.114.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    32.116.183.59.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.116.183.59.in-addr.arpa
    IN PTR
    Response
    32.116.183.59.in-addr.arpa
    IN PTR
    triband-mum-5918311632mtnlnetin
  • flag-us
    DNS
    32.116.183.59.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.116.183.59.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    55.180.158.214.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.180.158.214.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.118.74.60.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.118.74.60.in-addr.arpa
    IN PTR
    Response
    8.118.74.60.in-addr.arpa
    IN PTR
    softbank060074118008bbtecnet
  • flag-us
    DNS
    215.62.28.222.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.62.28.222.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    159.161.225.89.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.161.225.89.in-addr.arpa
    IN PTR
    Response
    159.161.225.89.in-addr.arpa
    IN PTR
    15916122589revsfrnet
  • flag-us
    DNS
    72.70.16.226.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.70.16.226.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    125.4.234.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    125.4.234.45.in-addr.arpa
    IN PTR
    Response
    125.4.234.45.in-addr.arpa
    IN PTR
    45-234-4-125dynprovedorfibernetcombr
  • flag-us
    DNS
    39.119.38.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    39.119.38.96.in-addr.arpa
    IN PTR
    Response
    39.119.38.96.in-addr.arpa
    IN PTR
    096-038-119-039resspectrumcom
  • flag-us
    DNS
    172.9.80.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.9.80.194.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.9.80.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.9.80.194.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    121.117.253.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    121.117.253.216.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    80.53.128.133.in-addr.arpa
    dns
    72 B
     121 B
     1
    1

    DNS Request

    80.53.128.133.in-addr.arpa

  • 8.8.8.8:53
    79.249.111.67.in-addr.arpa
    dns
    144 B
     93 B
     2
    1

    DNS Request

    79.249.111.67.in-addr.arpa

    DNS Request

    79.249.111.67.in-addr.arpa

  • 8.8.8.8:53
    138.22.211.41.in-addr.arpa
    dns
    72 B
     133 B
     1
    1

    DNS Request

    138.22.211.41.in-addr.arpa

  • 8.8.8.8:53
    118.102.160.55.in-addr.arpa
    dns
    73 B
     148 B
     1
    1

    DNS Request

    118.102.160.55.in-addr.arpa

  • 8.8.8.8:53
    154.46.210.202.in-addr.arpa
    dns
    73 B
     122 B
     1
    1

    DNS Request

    154.46.210.202.in-addr.arpa

  • 8.8.8.8:53
    80.151.163.173.in-addr.arpa
    dns
    73 B
     140 B
     1
    1

    DNS Request

    80.151.163.173.in-addr.arpa

  • 8.8.8.8:53
    51.233.191.49.in-addr.arpa
    dns
    72 B
     125 B
     1
    1

    DNS Request

    51.233.191.49.in-addr.arpa

  • 8.8.8.8:53
    21.153.67.143.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    21.153.67.143.in-addr.arpa

  • 8.8.8.8:53
    237.70.130.98.in-addr.arpa
    dns
    72 B
     136 B
     1
    1

    DNS Request

    237.70.130.98.in-addr.arpa

  • 8.8.8.8:53
    5.3.223.68.in-addr.arpa
    dns
    69 B
     69 B
     1
    1

    DNS Request

    5.3.223.68.in-addr.arpa

  • 8.8.8.8:53
    24.251.3.230.in-addr.arpa
    dns
    71 B
     128 B
     1
    1

    DNS Request

    24.251.3.230.in-addr.arpa

  • 8.8.8.8:53
    90.220.34.45.in-addr.arpa
    dns
    71 B
     71 B
     1
    1

    DNS Request

    90.220.34.45.in-addr.arpa

  • 8.8.8.8:53
    171.185.102.246.in-addr.arpa
    dns
    74 B
     142 B
     1
    1

    DNS Request

    171.185.102.246.in-addr.arpa

  • 8.8.8.8:53
    112.91.93.79.in-addr.arpa
    dns
    142 B
     109 B
     2
    1

    DNS Request

    112.91.93.79.in-addr.arpa

    DNS Request

    112.91.93.79.in-addr.arpa

  • 8.8.8.8:53
    209.162.96.111.in-addr.arpa
    dns
    73 B
     119 B
     1
    1

    DNS Request

    209.162.96.111.in-addr.arpa

  • 8.8.8.8:53
    86.155.37.230.in-addr.arpa
    dns
    72 B
     129 B
     1
    1

    DNS Request

    86.155.37.230.in-addr.arpa

  • 8.8.8.8:53
    164.24.168.54.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    164.24.168.54.in-addr.arpa

  • 8.8.8.8:53
    42.143.9.114.in-addr.arpa
    dns
    71 B
     71 B
     1
    1

    DNS Request

    42.143.9.114.in-addr.arpa

  • 8.8.8.8:53
    32.116.183.59.in-addr.arpa
    dns
    144 B
     123 B
     2
    1

    DNS Request

    32.116.183.59.in-addr.arpa

    DNS Request

    32.116.183.59.in-addr.arpa

  • 8.8.8.8:53
    55.180.158.214.in-addr.arpa
    dns
    73 B
     168 B
     1
    1

    DNS Request

    55.180.158.214.in-addr.arpa

  • 8.8.8.8:53
    8.118.74.60.in-addr.arpa
    dns
    70 B
     114 B
     1
    1

    DNS Request

    8.118.74.60.in-addr.arpa

  • 8.8.8.8:53
    215.62.28.222.in-addr.arpa
    dns
    72 B
     133 B
     1
    1

    DNS Request

    215.62.28.222.in-addr.arpa

  • 8.8.8.8:53
    159.161.225.89.in-addr.arpa
    dns
    73 B
     113 B
     1
    1

    DNS Request

    159.161.225.89.in-addr.arpa

  • 8.8.8.8:53
    72.70.16.226.in-addr.arpa
    dns
    71 B
     128 B
     1
    1

    DNS Request

    72.70.16.226.in-addr.arpa

  • 8.8.8.8:53
    125.4.234.45.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    125.4.234.45.in-addr.arpa

  • 8.8.8.8:53
    39.119.38.96.in-addr.arpa
    dns
    71 B
     117 B
     1
    1

    DNS Request

    39.119.38.96.in-addr.arpa

  • 8.8.8.8:53
    172.9.80.194.in-addr.arpa
    dns
    142 B
     128 B
     2
    1

    DNS Request

    172.9.80.194.in-addr.arpa

    DNS Request

    172.9.80.194.in-addr.arpa

  • 8.8.8.8:53
    121.117.253.216.in-addr.arpa
    dns
    74 B
     142 B
     1
    1

    DNS Request

    121.117.253.216.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\german hardcore fucking big shower .mpeg.exe
    Filesize

    1.3MB

    MD5

    72921ff6517d669c341b05ff0813f97b

    SHA1

    fc333b1912658838c1d6cfe73ac86856235c5ef1

    SHA256

    abc4ccde654940189911c35dac5db30c54b9fd88397db5d28bddf86561201b04

    SHA512

    497f2a750c44fb6c90d610678b5fd97a34934bbe519c9a902f425b399ad59044a31ac19225d0c74ff402cedbb44dc3aa351decc94ae7a02c5c27dd7e5c2bcc14

    Download Submit

  • memory/1204-127-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-133-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-145-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-142-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-139-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-93-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-136-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-106-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-109-0x0000000004AF0000-0x0000000004B0D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-110-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-66-0x0000000004AF0000-0x0000000004B0D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-116-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-113-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-124-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-130-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1204-121-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2568-90-0x0000000004E10000-0x0000000004E2D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2568-67-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2572-105-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2572-91-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.