Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 10:27 UTC

General

  • Target

    c863e36cb0270c9cec1fea46ae6fe0bc.exe

  • Size

    385KB

  • MD5

    c863e36cb0270c9cec1fea46ae6fe0bc

  • SHA1

    7f080700719a8bf56b250875c8153fdec9559d70

  • SHA256

    0efe7336e61c0e3fef4f3ec8987700b87444891809a23d714a7f17bf4496ed3f

  • SHA512

    20ef6e28519f55112c64457f1d119a3ce0d1e7ad4a72532d30c4625f6ef58f7ade26594e7d71de4d2f7dd2a1211f2a8c747fdf27d674829fa21c30340259a4bd

  • SSDEEP

    12288:z3eGjWPefe67m2Fx7YtVDUjYml1Kwrc+FHn9rJB:z39Kefe67Fx74wUmltrZ9tB

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
    "C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
      C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:2544

Network

  • flag-us
    DNS
    pastebin.com
    c863e36cb0270c9cec1fea46ae6fe0bc.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.67.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.68.143
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    c863e36cb0270c9cec1fea46ae6fe0bc.exe
    Remote address:
    104.20.67.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 14 Mar 2024 10:27:42 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 1181
    Server: cloudflare
    CF-RAY: 8643929eaf034888-LHR
  • 104.20.67.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    c863e36cb0270c9cec1fea46ae6fe0bc.exe
    1.3kB
    4.8kB
    12
    11

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 8.8.8.8:53
    pastebin.com
    dns
    c863e36cb0270c9cec1fea46ae6fe0bc.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.67.143
    172.67.34.170
    104.20.68.143

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\Local\Temp\Tar1C3F.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • \Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe

    Filesize

    385KB

    MD5

    c1571383d14dc39e227f877b3e00b2f3

    SHA1

    57255fbe850a1accab4296bffb74d44d647aa641

    SHA256

    1ea112072b9aa7b9e0d17e0a7425532cadeb9935bfbe4d84e7dfc6de804a863e

    SHA512

    3188068402b2db76b28c07bb38313c5cb22a31af2655fbea7c811374b90461a270574831827caea20979cf96661e926fdb54ba850980d904f3417f5220448ccc

  • memory/2544-29-0x0000000001470000-0x00000000014CF000-memory.dmp

    Filesize

    380KB

  • memory/2544-17-0x0000000000370000-0x00000000003D6000-memory.dmp

    Filesize

    408KB

  • memory/2544-19-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2544-23-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/2544-81-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2544-86-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2544-87-0x000000000FD80000-0x000000000FDBC000-memory.dmp

    Filesize

    240KB

  • memory/2972-14-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/2972-12-0x0000000001470000-0x00000000014D6000-memory.dmp

    Filesize

    408KB

  • memory/2972-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2972-1-0x0000000000360000-0x00000000003C6000-memory.dmp

    Filesize

    408KB

  • memory/2972-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.