Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

0891bd6168...0d.exe

windows7-x64

7

0891bd6168...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 19:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0891bd6168e2a165670372f0512b5b0d.exe

  • Size

    2.0MB

  • MD5

    0891bd6168e2a165670372f0512b5b0d

  • SHA1

    2a8e1747eb174756bd3d1cca65b412683d10ab93

  • SHA256

    4debd3d2d01631edb9e960d029d1539ca97c75e7c36f390d2a3d4ca819ed0a99

  • SHA512

    3732eb8397006b59359461924564188fe458e373ed5ebde0935deedfe60a6522d8d2550a6c31b13c788c725ca014f4b0c4b50892120c07485a7b6a782adb2b80

  • SSDEEP

    49152:bvqAH6w6wEytwEzWtEuvV4rIq6DqAqeJFnvYj1ND8RJd7ddxQvRzL:bvbVqtEuvV4EF5qeJpgj1N4RTRdxQpzL

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe
    "C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe
      "C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe
        "C:\Users\Admin\AppData\Local\Temp\0891bd6168e2a165670372f0512b5b0d.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2800

Network

  • flag-us
    DNS
    240.80.186.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.80.186.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.170.251.203.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.170.251.203.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    118.45.227.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    118.45.227.88.in-addr.arpa
    IN PTR
    Response
    118.45.227.88.in-addr.arpa
    IN PTR
    8822745118dynamicttnetcomtr
  • flag-us
    DNS
    227.7.104.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.7.104.88.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    110.168.126.60.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    110.168.126.60.in-addr.arpa
    IN PTR
    Response
    110.168.126.60.in-addr.arpa
    IN PTR
    softbank060126168110bbtecnet
  • flag-us
    DNS
    238.230.41.29.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    238.230.41.29.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.134.12.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.134.12.87.in-addr.arpa
    IN PTR
    Response
    252.134.12.87.in-addr.arpa
    IN PTR
    host-87-12-134-252business telecomitaliait
  • flag-us
    DNS
    91.78.3.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    91.78.3.72.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    238.30.23.89.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    238.30.23.89.in-addr.arpa
    IN PTR
    Response
    238.30.23.89.in-addr.arpa
    IN PTR
    net089023030238 pskovlineru
  • flag-us
    DNS
    72.6.206.57.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.6.206.57.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.145.102.29.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.145.102.29.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.246.178.144.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.246.178.144.in-addr.arpa
    IN PTR
    Response
    167.246.178.144.in-addr.arpa
    IN PTR
    144-178-246-167static ef-servicenl
  • flag-us
    DNS
    145.133.70.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.133.70.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    39.180.58.54.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    39.180.58.54.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.150.188.80.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.150.188.80.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.46.31.22.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.46.31.22.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.152.157.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.152.157.185.in-addr.arpa
    IN PTR
    Response
    82.152.157.185.in-addr.arpa
    IN PTR
    18515715282 radiokablenet
  • flag-us
    DNS
    249.141.54.11.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.141.54.11.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.126.115.244.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.126.115.244.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.67.33.144.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.67.33.144.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.109.50.160.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.109.50.160.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    250.115.206.130.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    250.115.206.130.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    240.80.186.8.in-addr.arpa
    dns
    71 B
     142 B
     1
    1

    DNS Request

    240.80.186.8.in-addr.arpa

  • 8.8.8.8:53
    138.170.251.203.in-addr.arpa
    dns
    74 B
     132 B
     1
    1

    DNS Request

    138.170.251.203.in-addr.arpa

  • 8.8.8.8:53
    118.45.227.88.in-addr.arpa
    dns
    72 B
     120 B
     1
    1

    DNS Request

    118.45.227.88.in-addr.arpa

  • 8.8.8.8:53
    227.7.104.88.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    227.7.104.88.in-addr.arpa

  • 8.8.8.8:53
    110.168.126.60.in-addr.arpa
    dns
    73 B
     117 B
     1
    1

    DNS Request

    110.168.126.60.in-addr.arpa

  • 8.8.8.8:53
    238.230.41.29.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    238.230.41.29.in-addr.arpa

  • 8.8.8.8:53
    252.134.12.87.in-addr.arpa
    dns
    72 B
     130 B
     1
    1

    DNS Request

    252.134.12.87.in-addr.arpa

  • 8.8.8.8:53
    91.78.3.72.in-addr.arpa
    dns
    69 B
     143 B
     1
    1

    DNS Request

    91.78.3.72.in-addr.arpa

  • 8.8.8.8:53
    238.30.23.89.in-addr.arpa
    dns
    71 B
     113 B
     1
    1

    DNS Request

    238.30.23.89.in-addr.arpa

  • 8.8.8.8:53
    72.6.206.57.in-addr.arpa
    dns
    70 B
     130 B
     1
    1

    DNS Request

    72.6.206.57.in-addr.arpa

  • 8.8.8.8:53
    182.145.102.29.in-addr.arpa
    dns
    73 B
     141 B
     1
    1

    DNS Request

    182.145.102.29.in-addr.arpa

  • 8.8.8.8:53
    167.246.178.144.in-addr.arpa
    dns
    74 B
     124 B
     1
    1

    DNS Request

    167.246.178.144.in-addr.arpa

  • 8.8.8.8:53
    145.133.70.204.in-addr.arpa
    dns
    73 B
     148 B
     1
    1

    DNS Request

    145.133.70.204.in-addr.arpa

  • 8.8.8.8:53
    39.180.58.54.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    39.180.58.54.in-addr.arpa

  • 8.8.8.8:53
    240.150.188.80.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    240.150.188.80.in-addr.arpa

  • 8.8.8.8:53
    197.46.31.22.in-addr.arpa
    dns
    71 B
     139 B
     1
    1

    DNS Request

    197.46.31.22.in-addr.arpa

  • 8.8.8.8:53
    82.152.157.185.in-addr.arpa
    dns
    73 B
     116 B
     1
    1

    DNS Request

    82.152.157.185.in-addr.arpa

  • 8.8.8.8:53
    249.141.54.11.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    249.141.54.11.in-addr.arpa

  • 8.8.8.8:53
    105.126.115.244.in-addr.arpa
    dns
    74 B
     142 B
     1
    1

    DNS Request

    105.126.115.244.in-addr.arpa

  • 8.8.8.8:53
    138.67.33.144.in-addr.arpa
    dns
    72 B
     157 B
     1
    1

    DNS Request

    138.67.33.144.in-addr.arpa

  • 8.8.8.8:53
    83.109.50.160.in-addr.arpa
    dns
    72 B
     72 B
     1
    1

    DNS Request

    83.109.50.160.in-addr.arpa

  • 8.8.8.8:53
    250.115.206.130.in-addr.arpa
    dns
    74 B
     135 B
     1
    1

    DNS Request

    250.115.206.130.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\gay several models (Sylvia).zip.exe
    Filesize

    2.1MB

    MD5

    d14b068336d62819e27e9f3a457a7aa2

    SHA1

    c9ebf269ceee17deb651599c477b28411bf37bb9

    SHA256

    11dad0734354955f0565dde4e74b115f1649f42c653795ca28a7b21ed69ffd49

    SHA512

    c0cff7f7b2af6de3f8a3b34b1723d24c2480a70eaeb5bc36ff130b48f8380de232e36c820f2937894bbda99f983e48350e412c874d7219852c36c7f7fec638bc

    Download Submit

  • memory/2224-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2224-8-0x00000000049F0000-0x0000000004A0D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2224-95-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2800-46-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2800-100-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3000-9-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3000-44-0x0000000004910000-0x000000000492D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3000-99-0x0000000004910000-0x000000000492D000-memory.dmp

    Filesize

    116KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.