Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2024, 21:06 UTC

General

  • Target

    d4878bf517b84e49c3377adb1ad8038d.exe

  • Size

    2.9MB

  • MD5

    d4878bf517b84e49c3377adb1ad8038d

  • SHA1

    4c4164f543d64416962598f4ce0e3289dfd4b36e

  • SHA256

    230e5141831452d7f1c26a2640ab4018dd8b3078719d75c7729b0c08b2b29a4f

  • SHA512

    1c50f6f2571c33d86bf052dba01607e98fb34549241c8aea421c1a00790058a274d989b5dda3d528f4ebf7881de6070f8450173525ac0f8df76d7475f5a6878a

  • SSDEEP

    49152:nmh2LMvCzI4FieFUSfJxt7N74NH5HUyNRcUsCVOzetdZJ:nmoLMviI4iCUkt4HBUCczzM3

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
    "C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
      C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2204

Network

  • flag-us
    DNS
    zipansion.com
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    GET
    http://zipansion.com/2pRLi
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 18 Mar 2024 21:06:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=u6m536fb28g8r6csup2sn1e962; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MyAY1qH0pBwyLMMDhsrPSjtjb8alYbd8QbRahVRDIpMUYTbGSromzB3Xd5ltNjn8dK1L0oYaK6z4HJLtwdklL4NJeFTX09SttK4nwTebvduHgt0AOvPgQdaFjgFfmZMG"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 86682fb96aa5068f-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    DNS
    yxeepsek.net
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
  • flag-us
    GET
    http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-36721OHCK/2pRLi?rndad=1502943035-1710795985 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Mon, 18 Mar 2024 21:06:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiCf82%2B7sDL8mgHtmQOuRTTNseanP5KeXLahLCVf%2BA8w1G3sEA95kMPHA3sM%2B4DKTQgpR7G%2BAYPYcDNqTHl7LHlNCArsofI7QzQ%2Fcvuk1R3XX98bI5MTeEHZYA5K448%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 86682fc20ffd45a1-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    d4878bf517b84e49c3377adb1ad8038d.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7
    Response
    HTTP/1.1 200 OK
    Date: Mon, 18 Mar 2024 21:06:26 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lilLXEQpYnwJhZe5wosE%2FdCljndQ8PPDVlC5DyGFhUHu84iAPKcxkd8UYCp1o8pd4RtXHJCm%2BlOIXgeUm8eOfPL0tSnzpJ9uFRIZxt6c35R4EtWfe0f7jMO%2FCc6%2FJQM%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 86682fc3cb1b45a1-LHR
    alt-svc: h2=":443"; ma=60
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    d4878bf517b84e49c3377adb1ad8038d.exe
    443 B
    2.1kB
    6
    5

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    d4878bf517b84e49c3377adb1ad8038d.exe
    886 B
    3.3kB
    9
    9

    HTTP Request

    GET http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    d4878bf517b84e49c3377adb1ad8038d.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    yxeepsek.net
    dns
    d4878bf517b84e49c3377adb1ad8038d.exe
    116 B
    90 B
    2
    1

    DNS Request

    yxeepsek.net

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

    Filesize

    1.8MB

    MD5

    9a836599cece6bfb3fc88a87f9de1dcd

    SHA1

    45a1b3d2b9433c8a3d9f4b684469ca797e4eee1f

    SHA256

    a4d3b464204f207909df15654039147b09b42bbb9d1b17f1a97ca255eb76bc65

    SHA512

    d96e93f75d1423f5de872ac61592487c92c38ea78c80472140dd67fa5c1aa3b3a0bf55f96c3513364c7f3a404c2ef6e7b37942445aab19557c60b42e2bcce779

  • C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

    Filesize

    2.4MB

    MD5

    ee13ce8486934ae1a9c9e88aab46aa8d

    SHA1

    9d270abd2ec918e1d6b809d4b3d849ff184af4ea

    SHA256

    30d0396f7e04ae7bc24b5273cf3ec5d91ef311a905be2e436788e6c9d1316655

    SHA512

    565e9870b6627841d0553b74669c9de33ae5a38e391b70a0fc4752194114c0d8deaa7cc9f03a68089bbb1568d95e17c7a1ffa5562e2dfa60c2283c419eb09801

  • \Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

    Filesize

    2.2MB

    MD5

    7a10428eade567a2a006d415a510bc0e

    SHA1

    4b181d5c7a7a429e55cb0a9b7e53246b4855e8c3

    SHA256

    562473815d7fade38401dabed42850a3ae7c71cda905879c3a6b3b900a42b3f9

    SHA512

    78df287caea4844be6f54c314ec3a1fcbcd0cc484058a67a3765b6776aa21c50f75a4c70040d6d2266d34ca1c1e6a48bc8511d1e5360e4dd8c262f8bfeca9246

  • memory/2204-16-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2204-17-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2204-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

    Filesize

    1.2MB

  • memory/2204-23-0x0000000000400000-0x000000000061D000-memory.dmp

    Filesize

    2.1MB

  • memory/2204-25-0x0000000003410000-0x000000000363A000-memory.dmp

    Filesize

    2.2MB

  • memory/2204-32-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2820-0-0x0000000000400000-0x00000000008EF000-memory.dmp

    Filesize

    4.9MB

  • memory/2820-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

    Filesize

    1.2MB

  • memory/2820-14-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2820-1-0x0000000000400000-0x000000000062A000-memory.dmp

    Filesize

    2.2MB

  • memory/2820-13-0x0000000003980000-0x0000000003E6F000-memory.dmp

    Filesize

    4.9MB

  • memory/2820-31-0x0000000003980000-0x0000000003E6F000-memory.dmp

    Filesize

    4.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.