Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 04:24 UTC
Static task
static1
Behavioral task
behavioral1
Sample
eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe
Resource
win10v2004-20240412-en
General
-
Target
eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe
-
Size
1.7MB
-
MD5
d6f6ed02f4d9f3606fe6118eaa63ec59
-
SHA1
6c697d5072db366d3feed1030457c14caba8ad5d
-
SHA256
eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699
-
SHA512
7580568a70c4bb886f30c7cb23f8f006bc3f88513b8d23a403db868a59be80578bd7b99d21e9796dee2c11b241ca13c6d3e26404f03a745ff126e90490aac902
-
SSDEEP
24576:jOw8RD48DjnVoqzhNK41If/u8LVPQdQ7jxW32ciHjatr0zAiX90z/F0jsFB3SQk2:wBU41IuQmmjxW32/HjaB0zj0yjoB2
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2304 eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe
Processes
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2B9B553C515F655517B0415A50BF64D1; domain=.bing.com; expires=Wed, 14-May-2025 04:24:45 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B7ED4CBA605A487782080CEE6A607F77 Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
date: Fri, 19 Apr 2024 04:24:44 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9B553C515F655517B0415A50BF64D1
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=lyDnvbp_wv--mejEyC5mEVilB0jBRfkF0EgxfDowNNA; domain=.bing.com; expires=Wed, 14-May-2025 04:24:45 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AAC9F6898F0F472684E4AE0621404E0A Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
date: Fri, 19 Apr 2024 04:24:44 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9B553C515F655517B0415A50BF64D1; MSPTC=lyDnvbp_wv--mejEyC5mEVilB0jBRfkF0EgxfDowNNA
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AA745617CBC94AE68F24182CA50312B1 Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
date: Fri, 19 Apr 2024 04:24:44 GMT
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request156.33.209.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.114.53.23.in-addr.arpaIN PTRResponse21.114.53.23.in-addr.arpaIN PTRa23-53-114-21deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request65.139.73.23.in-addr.arpaIN PTRResponse65.139.73.23.in-addr.arpaIN PTRa23-73-139-65deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=tls, http22.0kB 9.2kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
156.33.209.4.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
21.114.53.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
65.139.73.23.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa