Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 04:24 UTC

General

  • Target

    eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe

  • Size

    1.7MB

  • MD5

    d6f6ed02f4d9f3606fe6118eaa63ec59

  • SHA1

    6c697d5072db366d3feed1030457c14caba8ad5d

  • SHA256

    eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699

  • SHA512

    7580568a70c4bb886f30c7cb23f8f006bc3f88513b8d23a403db868a59be80578bd7b99d21e9796dee2c11b241ca13c6d3e26404f03a745ff126e90490aac902

  • SSDEEP

    24576:jOw8RD48DjnVoqzhNK41If/u8LVPQdQ7jxW32ciHjatr0zAiX90z/F0jsFB3SQk2:wBU41IuQmmjxW32/HjaB0zj0yjoB2

Score
6/10

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe
    "C:\Users\Admin\AppData\Local\Temp\eb07d08b797e3dce9c36909dd1a59f93ca95817f668aeec681f553bee1ee6699.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2304

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2B9B553C515F655517B0415A50BF64D1; domain=.bing.com; expires=Wed, 14-May-2025 04:24:45 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B7ED4CBA605A487782080CEE6A607F77 Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
    date: Fri, 19 Apr 2024 04:24:44 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B9B553C515F655517B0415A50BF64D1
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=lyDnvbp_wv--mejEyC5mEVilB0jBRfkF0EgxfDowNNA; domain=.bing.com; expires=Wed, 14-May-2025 04:24:45 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AAC9F6898F0F472684E4AE0621404E0A Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
    date: Fri, 19 Apr 2024 04:24:44 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B9B553C515F655517B0415A50BF64D1; MSPTC=lyDnvbp_wv--mejEyC5mEVilB0jBRfkF0EgxfDowNNA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AA745617CBC94AE68F24182CA50312B1 Ref B: LON04EDGE1115 Ref C: 2024-04-19T04:24:45Z
    date: Fri, 19 Apr 2024 04:24:44 GMT
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    156.33.209.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    156.33.209.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
    tls, http2
    2.0kB
    9.2kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=be939ff8f16e424c80071f0831ae68cf&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    156.33.209.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    156.33.209.4.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2304-0-0x0000000000400000-0x00000000005C7000-memory.dmp

    Filesize

    1.8MB

  • memory/2304-1-0x0000000000B70000-0x0000000000BD7000-memory.dmp

    Filesize

    412KB

  • memory/2304-6-0x0000000000B70000-0x0000000000BD7000-memory.dmp

    Filesize

    412KB

  • memory/2304-10-0x0000000000400000-0x00000000005C7000-memory.dmp

    Filesize

    1.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.