Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    162s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 02:27 UTC

General

  • Target

    c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

  • Size

    1.6MB

  • MD5

    e23f8bb38485ae01345747d7ef4cfa06

  • SHA1

    84e276ef8b3a302a43a10584f001816e1ab861a4

  • SHA256

    c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8

  • SHA512

    bd8c40cee70ac1aef7ffd996f3dd164e92bf10228dcdcb3b5a9fc429390d3824b70b257007725c6201807a24db3fc48f9439f914efb0869c1a00c2f3c162331a

  • SSDEEP

    24576:86Gj/chy9u8zPHGeSGjadTQdDqqskYwTb7a7qM+irMQKmPu0OhDNLd/:5mQaXzPHGeVgTqDvYwTb6qjQXPAD7

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
    "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
      "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
        "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3180
    • C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
      "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2920

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.139.73.23.in-addr.arpa
    IN PTR
    Response
    24.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.112.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.112.168.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    24.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    24.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    67.112.168.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    67.112.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\norwegian action uncut feet fishy .zip.exe

    Filesize

    1.7MB

    MD5

    10e8b1eca3400064732eb0bcdcb1cbba

    SHA1

    2740f2abe2c9d154459d0469d274c02792186eb6

    SHA256

    a107a0d776e7010485b3e69c403ea18073efafadf95f2d0b5d2810f0e1c53005

    SHA512

    be02182b90e4230d01be58139c8305dfef0dcbb960693a2cf1c8f08480efb68df089ade29cc61ac475d6b2d5f9fb10118c06c36911fadc36df57950a5b941b52

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.