Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d4033aaf15...a2.exe

windows7-x64

7

d4033aaf15...a2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2024, 16:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4033aaf1527a4ce14e754e14bddd9a2.exe

  • Size

    1000KB

  • MD5

    d4033aaf1527a4ce14e754e14bddd9a2

  • SHA1

    00a4a66cdd3d32827c2c70122f1792018d95e48e

  • SHA256

    162176dd27cff995ab743814ad56dc74fce12b98f7b5d8cbfd4949544d847c00

  • SHA512

    7c23b70f1105fad2deb596a4aedac0159e2cfd58279fc7d317f2687b0154fe709b28530223b4daef32cd1ae116f1c3dba64b65d8c0945d088d1aab60f8808107

  • SSDEEP

    12288:n2xBN/wChxI5LL/fvvtuYMSXkbaAcF3k6mECaBwQ2tb5JLrnylUPqt0gHDS7eyod:2xH/wexI5LLHyQkM1B+5vMiqt0gj2ed

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
    "C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
      C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:668

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.0UGRW121Ko.com
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    8.8.8.8:53
    Request
    www.0UGRW121Ko.com
    IN A
    Response
  • flag-us
    DNS
    w.google.com
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
    Response
    w.google.com
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.250.179.206
  • flag-us
    DNS
    w.google.com
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
  • flag-us
    DNS
    w.google.com
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
  • flag-us
    DNS
    202.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.178.17.96.in-addr.arpa
    IN PTR
    Response
    202.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    http://w.google.com/
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    142.250.179.206:80
    Request
    GET / HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: w.google.com
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=UTF-8
    Referrer-Policy: no-referrer
    Content-Length: 1561
    Date: Mon, 18 Mar 2024 16:45:49 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.179.250.142.in-addr.arpa
    IN PTR
    Response
    206.179.250.142.in-addr.arpa
    IN PTR
    ams15s42-in-f141e100net
  • flag-us
    DNS
    206.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.179.250.142.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    pastebin.com
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    GET
    http://pastebin.com/raw/ubFNTPjt
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    172.67.34.170:80
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 18 Mar 2024 16:45:56 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Mon, 18 Mar 2024 17:45:56 GMT
    Location: https://pastebin.com/raw/ubFNTPjt
    Server: cloudflare
    CF-RAY: 8666b229df837792-LHR
  • flag-us
    DNS
    170.34.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    170.34.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    170.34.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    170.34.67.172.in-addr.arpa
    IN PTR
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    Remote address:
    172.67.34.170:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 18 Mar 2024 16:45:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: EXPIRED
    Server: cloudflare
    CF-RAY: 8666b22f3f94dc57-LHR
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    196.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.178.17.96.in-addr.arpa
    IN PTR
    Response
    196.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-196deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.178.17.96.in-addr.arpa
    IN PTR
    Response
    200.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-200deploystaticakamaitechnologiescom
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
  • 142.250.179.206:80
    http://w.google.com/
    http
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    1.1kB
     1.9kB
     8
    5

    HTTP Request

    GET http://w.google.com/

    HTTP Response

    404
  • 172.67.34.170:80
    http://pastebin.com/raw/ubFNTPjt
    http
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    914 B
     476 B
     9
    4

    HTTP Request

    GET http://pastebin.com/raw/ubFNTPjt

    HTTP Response

    301
  • 172.67.34.170:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    1.3kB
     4.9kB
     12
    10

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 138.91.171.81:80
    46 B
     1
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    www.0UGRW121Ko.com
    dns
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    64 B
     137 B
     1
    1

    DNS Request

    www.0UGRW121Ko.com

  • 8.8.8.8:53
    w.google.com
    dns
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    174 B
     95 B
     3
    1

    DNS Request

    w.google.com

    DNS Request

    w.google.com

    DNS Request

    w.google.com

    DNS Response

    142.250.179.206

  • 8.8.8.8:53
    202.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    202.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    206.179.250.142.in-addr.arpa
    dns
    148 B
     113 B
     2
    1

    DNS Request

    206.179.250.142.in-addr.arpa

    DNS Request

    206.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    d4033aaf1527a4ce14e754e14bddd9a2.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    172.67.34.170
    104.20.68.143
    104.20.67.143

  • 8.8.8.8:53
    170.34.67.172.in-addr.arpa
    dns
    144 B
     134 B
     2
    1

    DNS Request

    170.34.67.172.in-addr.arpa

    DNS Request

    170.34.67.172.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    216 B
     158 B
     3
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    196.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    196.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    200.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    200.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    10.173.189.20.in-addr.arpa
    dns
    216 B
     158 B
     3
    1

    DNS Request

    10.173.189.20.in-addr.arpa

    DNS Request

    10.173.189.20.in-addr.arpa

    DNS Request

    10.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d4033aaf1527a4ce14e754e14bddd9a2.exe
    Filesize

    1000KB

    MD5

    3ea76daa753d5748f59f8d5eece0961a

    SHA1

    4f275433f17ea9525864f283c6c1a4728233e21c

    SHA256

    52a7408949a9cd80b6dab705f9e4ab82527c9631834c56dda814bbd3be17d19a

    SHA512

    6163e8551e13512c9f2fa8a7c7ab8ea72514c7cc1a860a10bca665506ccf94c63a39c653dd14f7dc5dba8118f4c3913c4e43a570266590764bd58af9eea0c5e4

    Download Submit

  • memory/1648-14-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1648-17-0x00000000016E0000-0x0000000001763000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1648-20-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1648-22-0x0000000005000000-0x000000000507E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/1648-27-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2900-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2900-1-0x0000000001510000-0x0000000001593000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2900-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2900-11-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.