Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/03/2024, 21:06 UTC
Behavioral task
behavioral1
Sample
d4878bf517b84e49c3377adb1ad8038d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d4878bf517b84e49c3377adb1ad8038d.exe
Resource
win10v2004-20240226-en
General
-
Target
d4878bf517b84e49c3377adb1ad8038d.exe
-
Size
2.9MB
-
MD5
d4878bf517b84e49c3377adb1ad8038d
-
SHA1
4c4164f543d64416962598f4ce0e3289dfd4b36e
-
SHA256
230e5141831452d7f1c26a2640ab4018dd8b3078719d75c7729b0c08b2b29a4f
-
SHA512
1c50f6f2571c33d86bf052dba01607e98fb34549241c8aea421c1a00790058a274d989b5dda3d528f4ebf7881de6070f8450173525ac0f8df76d7475f5a6878a
-
SSDEEP
49152:nmh2LMvCzI4FieFUSfJxt7N74NH5HUyNRcUsCVOzetdZJ:nmoLMviI4iCUkt4HBUCczzM3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe -
resource yara_rule behavioral1/memory/2820-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000013a21-12.dat upx behavioral1/files/0x000a000000013a21-10.dat upx behavioral1/files/0x000a000000013a21-15.dat upx behavioral1/memory/2204-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exeC:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2204
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A104.21.73.114zipansion.comIN A172.67.144.180
-
Remote address:104.21.73.114:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=u6m536fb28g8r6csup2sn1e962; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MyAY1qH0pBwyLMMDhsrPSjtjb8alYbd8QbRahVRDIpMUYTbGSromzB3Xd5ltNjn8dK1L0oYaK6z4HJLtwdklL4NJeFTX09SttK4nwTebvduHgt0AOvPgQdaFjgFfmZMG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fb96aa5068f-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN A
-
GEThttp://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985d4878bf517b84e49c3377adb1ad8038d.exeRemote address:172.67.194.101:80RequestGET /-36721OHCK/2pRLi?rndad=1502943035-1710795985 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiCf82%2B7sDL8mgHtmQOuRTTNseanP5KeXLahLCVf%2BA8w1G3sEA95kMPHA3sM%2B4DKTQgpR7G%2BAYPYcDNqTHl7LHlNCArsofI7QzQ%2Fcvuk1R3XX98bI5MTeEHZYA5K448%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fc20ffd45a1-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lilLXEQpYnwJhZe5wosE%2FdCljndQ8PPDVlC5DyGFhUHu84iAPKcxkd8UYCp1o8pd4RtXHJCm%2BlOIXgeUm8eOfPL0tSnzpJ9uFRIZxt6c35R4EtWfe0f7jMO%2FCc6%2FJQM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fc3cb1b45a1-LHR
alt-svc: h2=":443"; ma=60
-
443 B 2.1kB 6 5
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239httpd4878bf517b84e49c3377adb1ad8038d.exe886 B 3.3kB 9 9
HTTP Request
GET http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
59 B 91 B 1 1
DNS Request
zipansion.com
DNS Response
104.21.73.114172.67.144.180
-
116 B 90 B 2 1
DNS Request
yxeepsek.net
DNS Request
yxeepsek.net
DNS Response
172.67.194.101104.21.20.204
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD59a836599cece6bfb3fc88a87f9de1dcd
SHA145a1b3d2b9433c8a3d9f4b684469ca797e4eee1f
SHA256a4d3b464204f207909df15654039147b09b42bbb9d1b17f1a97ca255eb76bc65
SHA512d96e93f75d1423f5de872ac61592487c92c38ea78c80472140dd67fa5c1aa3b3a0bf55f96c3513364c7f3a404c2ef6e7b37942445aab19557c60b42e2bcce779
-
Filesize
2.4MB
MD5ee13ce8486934ae1a9c9e88aab46aa8d
SHA19d270abd2ec918e1d6b809d4b3d849ff184af4ea
SHA25630d0396f7e04ae7bc24b5273cf3ec5d91ef311a905be2e436788e6c9d1316655
SHA512565e9870b6627841d0553b74669c9de33ae5a38e391b70a0fc4752194114c0d8deaa7cc9f03a68089bbb1568d95e17c7a1ffa5562e2dfa60c2283c419eb09801
-
Filesize
2.2MB
MD57a10428eade567a2a006d415a510bc0e
SHA14b181d5c7a7a429e55cb0a9b7e53246b4855e8c3
SHA256562473815d7fade38401dabed42850a3ae7c71cda905879c3a6b3b900a42b3f9
SHA51278df287caea4844be6f54c314ec3a1fcbcd0cc484058a67a3765b6776aa21c50f75a4c70040d6d2266d34ca1c1e6a48bc8511d1e5360e4dd8c262f8bfeca9246