Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6a03af0f09...1f.exe

windows7-x64

7

6a03af0f09...1f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 22:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a03af0f09818c405bea61cc21b6581f.exe

  • Size

    106KB

  • MD5

    6a03af0f09818c405bea61cc21b6581f

  • SHA1

    ef577f8861f1f126f5afd7a02ad1e033f93b6e66

  • SHA256

    c6f9bf01583b17a4dbbee494ebdd901aa3b12723ebef43d5e39fbbb7936b2e23

  • SHA512

    c7947facd23c6779a4f5fc824b64c8429a6a30756396d65c9d0246b4fc68ffdd86501f9d0f50d56f396b6c75ad3d07f92008b982560d0f3bd8a0373e1563cf0f

  • SSDEEP

    3072:oGqIGRpTa9p1om9PW/pqqsFUCN3R9MI+I0ZfG:oGHGRpO9p1om9+xs3NBBSG

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
    "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
      "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
        "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2556

Network

  • flag-us
    DNS
    27.130.185.117.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.130.185.117.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    115.65.183.32.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    115.65.183.32.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    247.91.192.225.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    247.91.192.225.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    186.238.15.59.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    186.238.15.59.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.162.28.247.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.162.28.247.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.186.94.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.186.94.88.in-addr.arpa
    IN PTR
    Response
    56.186.94.88.in-addr.arpa
    IN PTR
    fwa5eba-56bbonlineno
  • flag-us
    DNS
    168.36.17.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.36.17.91.in-addr.arpa
    IN PTR
    Response
    168.36.17.91.in-addr.arpa
    IN PTR
    p5b1124a8dip0 t-ipconnectde
  • flag-us
    DNS
    105.28.214.213.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.28.214.213.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    109.92.65.148.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.92.65.148.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.240.126.196.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.240.126.196.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    153.208.65.190.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    153.208.65.190.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.30.35.221.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.30.35.221.in-addr.arpa
    IN PTR
    Response
    113.30.35.221.in-addr.arpa
    IN PTR
    softbank221035030113bbtecnet
  • flag-us
    DNS
    107.163.107.41.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.163.107.41.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.106.142.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.106.142.198.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.128.137.151.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.128.137.151.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    243.4.31.200.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    243.4.31.200.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.26.88.134.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.26.88.134.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    148.61.97.137.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.61.97.137.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    120.14.207.154.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.14.207.154.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.92.203.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.92.203.88.in-addr.arpa
    IN PTR
    Response
    200.92.203.88.in-addr.arpa
    IN PTR
    c92-200i05-24onvolnet
  • flag-us
    DNS
    250.190.36.130.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    250.190.36.130.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    27.130.185.117.in-addr.arpa
    dns
    73 B
     122 B
     1
    1

    DNS Request

    27.130.185.117.in-addr.arpa

  • 8.8.8.8:53
    115.65.183.32.in-addr.arpa
    dns
    72 B
     149 B
     1
    1

    DNS Request

    115.65.183.32.in-addr.arpa

  • 8.8.8.8:53
    247.91.192.225.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    247.91.192.225.in-addr.arpa

  • 8.8.8.8:53
    186.238.15.59.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    186.238.15.59.in-addr.arpa

  • 8.8.8.8:53
    48.162.28.247.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    48.162.28.247.in-addr.arpa

  • 8.8.8.8:53
    56.186.94.88.in-addr.arpa
    dns
    71 B
     108 B
     1
    1

    DNS Request

    56.186.94.88.in-addr.arpa

  • 8.8.8.8:53
    168.36.17.91.in-addr.arpa
    dns
    71 B
     114 B
     1
    1

    DNS Request

    168.36.17.91.in-addr.arpa

  • 8.8.8.8:53
    105.28.214.213.in-addr.arpa
    dns
    73 B
     132 B
     1
    1

    DNS Request

    105.28.214.213.in-addr.arpa

  • 8.8.8.8:53
    109.92.65.148.in-addr.arpa
    dns
    72 B
     72 B
     1
    1

    DNS Request

    109.92.65.148.in-addr.arpa

  • 8.8.8.8:53
    5.240.126.196.in-addr.arpa
    dns
    72 B
     133 B
     1
    1

    DNS Request

    5.240.126.196.in-addr.arpa

  • 8.8.8.8:53
    153.208.65.190.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    153.208.65.190.in-addr.arpa

  • 8.8.8.8:53
    113.30.35.221.in-addr.arpa
    dns
    72 B
     116 B
     1
    1

    DNS Request

    113.30.35.221.in-addr.arpa

  • 8.8.8.8:53
    107.163.107.41.in-addr.arpa
    dns
    73 B
     134 B
     1
    1

    DNS Request

    107.163.107.41.in-addr.arpa

  • 8.8.8.8:53
    157.106.142.198.in-addr.arpa
    dns
    74 B
     144 B
     1
    1

    DNS Request

    157.106.142.198.in-addr.arpa

  • 8.8.8.8:53
    197.128.137.151.in-addr.arpa
    dns
    74 B
     148 B
     1
    1

    DNS Request

    197.128.137.151.in-addr.arpa

  • 8.8.8.8:53
    243.4.31.200.in-addr.arpa
    dns
    71 B
     156 B
     1
    1

    DNS Request

    243.4.31.200.in-addr.arpa

  • 8.8.8.8:53
    65.26.88.134.in-addr.arpa
    dns
    71 B
     130 B
     1
    1

    DNS Request

    65.26.88.134.in-addr.arpa

  • 8.8.8.8:53
    148.61.97.137.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    148.61.97.137.in-addr.arpa

  • 8.8.8.8:53
    120.14.207.154.in-addr.arpa
    dns
    73 B
     134 B
     1
    1

    DNS Request

    120.14.207.154.in-addr.arpa

  • 8.8.8.8:53
    200.92.203.88.in-addr.arpa
    dns
    72 B
     110 B
     1
    1

    DNS Request

    200.92.203.88.in-addr.arpa

  • 8.8.8.8:53
    250.190.36.130.in-addr.arpa
    dns
    73 B
     155 B
     1
    1

    DNS Request

    250.190.36.130.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\gay voyeur hole black hairunshaved .rar.exe
    Filesize

    997KB

    MD5

    e8847c40b97d4f1d32efc0d5a450614e

    SHA1

    3285027cf9fd5cd71c9f2672701a929efde98a0c

    SHA256

    5354224f0e21348d2b330775fda271c14833c243371142e5b5b462039e185784

    SHA512

    0860d28d32958c3decee4d778d30c0a26ab6776bea8f53c4d0d6911e5c0fccba9fef6f67c5f1c0a100484e22705e1c8323879d6652031efd91429755de027761

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.