Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 10:26

General

  • Target

    52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe

  • Size

    19KB

  • MD5

    7f6219613eda811eada544ac6caa6c16

  • SHA1

    a04973420c8cb78746caa68bd7d85128d40690f4

  • SHA256

    52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8

  • SHA512

    a693a694baeff6a2ae9180a5086e906deabea57b79ea90ffb44f2bd94d05c9a7ec740a0322cfd2f3aa75f17ee1b511904fd9d71f9241442ec82ca49c673407cf

  • SSDEEP

    192:5V7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2cmA9mhmWF8qa1Dojjgi:bqaCF31cix+Dc4zjpmxFF46gi

Malware Config

Extracted

Family

cobaltstrike

C2

http://107.175.158.78:80/qQb9

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://107.175.158.78:80/MicrosoftUpdate/ShellEx/KB242742/default.aspx

Attributes
  • access_type

    512

  • host

    107.175.158.78,/MicrosoftUpdate/ShellEx/KB242742/default.aspx

  • http_header1

    AAAACgAAAD1Vc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoQ29tcGF0aWJsZTsgTVNJRSA2LjA7V2luZG93cyBOVCA1LjEpAAAACgAAABtBY2NlcHQ6ICovKiwgLi4uLCAuLi4uLi4sIC4AAAAHAAAAAAAAAAsAAAAFAAAAA3RtcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAA9VXNlci1BZ2VudDogTW96aWxsYS80LjAgKENvbXBhdGlibGU7IE1TSUUgNi4wO1dpbmRvd3MgTlQgNS4xKQAAAAcAAAAAAAAAAQAAAAwvZGVmYXVsdC5hc3AAAAAMAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    500

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj46Hh/xPdl6SVS/rb1DluSClic5D/zPS/2+I9/ABTMm+y4b9H5oDOOKI+i7iDCqkKDabQ0eZr6zAZUiwbXRPpNf/aIjYgAI90AY1cJNOXNkkeBioJSrIxzzfGZorz+nXN9ENaWL8uR4eh6mbrJPKhl3VHT8y68KBkC5f5y9FTfQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /MicrosoftUpdate/GetUpdate/KB

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)

  • watermark

    987654321

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe
    "C:\Users\Admin\AppData\Local\Temp\52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe"
    1⤵
      PID:3304
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:828

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3304-0-0x0000000000020000-0x0000000000021000-memory.dmp

        Filesize

        4KB

      • memory/3304-1-0x0000000003590000-0x0000000003990000-memory.dmp

        Filesize

        4.0MB

      • memory/3304-2-0x00000000006C0000-0x0000000000712000-memory.dmp

        Filesize

        328KB

      • memory/3304-3-0x0000000000720000-0x0000000000722000-memory.dmp

        Filesize

        8KB

      • memory/3304-4-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/3304-6-0x00000000006C0000-0x0000000000712000-memory.dmp

        Filesize

        328KB