Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e1f6c964b6...23.exe

windows7-x64

7

e1f6c964b6...23.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 03:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1f6c964b6e5c90cfcaf745873e7a432fc1c01dc3769ce6850f9480663a03a23.exe

  • Size

    608KB

  • MD5

    de9281d4bd1d8ee5413a4cc6c5086565

  • SHA1

    5764ee20f5f9260c0e98bcf55d7cb269d983beb7

  • SHA256

    e1f6c964b6e5c90cfcaf745873e7a432fc1c01dc3769ce6850f9480663a03a23

  • SHA512

    332d72bd1e32a0af631f54023d652569f59ed916c95bba9b05b0d303d519b28e7c9a65767a1cc094798c669fd9d9f71011fee957f5399107e2ef71d4febcf649

  • SSDEEP

    12288:4jauDReWKGRPUcPmgqhrSr2tUaZS+qrNpXDdKjlpYMyc:4DDGcPmdhrSr2tUQqrNpXEhpYc

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1f6c964b6e5c90cfcaf745873e7a432fc1c01dc3769ce6850f9480663a03a23.exe
    "C:\Users\Admin\AppData\Local\Temp\e1f6c964b6e5c90cfcaf745873e7a432fc1c01dc3769ce6850f9480663a03a23.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\ProgramData\ygjct.exe
      "C:\ProgramData\ygjct.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3228

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=03FD0428BC2468D73FA21058BDC4699B; domain=.bing.com; expires=Sat, 24-May-2025 03:11:25 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF4ABD5199994B0DBE62EC0B648311BD Ref B: LON04EDGE1013 Ref C: 2024-04-29T03:11:25Z
    date: Mon, 29 Apr 2024 03:11:24 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=03FD0428BC2468D73FA21058BDC4699B; _EDGE_S=SID=21F70212B7F76F1F2FB01662B6BF6E94
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=qAnJTvQFyg1IiMb56zFAKENYRrW2yWQmIKrnp-nzRfk; domain=.bing.com; expires=Sat, 24-May-2025 03:11:25 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 06666100A22346B69565E9DBD5F77244 Ref B: LON04EDGE1013 Ref C: 2024-04-29T03:11:25Z
    date: Mon, 29 Apr 2024 03:11:24 GMT
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/aes/c.gif?RG=80cd5be833eb42b88fd0e1866beeef96&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T140249Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
    Remote address:
    23.62.61.97:443
    Request
    GET /aes/c.gif?RG=80cd5be833eb42b88fd0e1866beeef96&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T140249Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=03FD0428BC2468D73FA21058BDC4699B
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0E34E4464E424C5CBC26FA50B929CAF5 Ref B: BRU30EDGE0913 Ref C: 2024-04-29T03:11:25Z
    content-length: 0
    date: Mon, 29 Apr 2024 03:11:25 GMT
    set-cookie: _EDGE_S=SID=21F70212B7F76F1F2FB01662B6BF6E94; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=03FD0428BC2468D73FA21058BDC4699B; path=/; httponly; expires=Sat, 24-May-2025 03:11:25 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1714360285.1d0c6b7d
  • flag-us
    DNS
    97.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.61.62.23.in-addr.arpa
    IN PTR
    Response
    97.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.190.18.2.in-addr.arpa
    IN PTR
    Response
    133.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-133deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    tls, http2
    2.5kB
     9.0kB
     19
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86oYOQYMSs3urfJ8MtdLrbDVUCUwXDgZN5qWc77JjqDalPq_zuTt1NLYOBcYCabGbvdESRW_j73yfR0q8oo4TAdn8FQqc2t3L-9VBw1HFkh_Iq6r5Icqz-kWXN86w4SY6mXrWsKv4UOHJJaqlgwpxKTofjcqq8hlXEJuhyaNVAJUPAC-o%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D47a3d175cec612e6d0b2b75e7d0a076f&TIME=20240426T140249Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

    HTTP Response

    204
  • 23.62.61.97:443
    https://www.bing.com/aes/c.gif?RG=80cd5be833eb42b88fd0e1866beeef96&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T140249Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
    tls, http2
    1.5kB
     5.4kB
     17
    12

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=80cd5be833eb42b88fd0e1866beeef96&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T140249Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    97.61.62.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    97.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    133.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    133.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    14.179.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    14.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings .exe
    Filesize

    608KB

    MD5

    003c82cf089a2559ce5aeb3c05102e2d

    SHA1

    efd4a282c70e9f138597fc3dee6ceca50a559881

    SHA256

    b46f8c368fcd685019709383cea0ad80ea6ac8c323963685486d9202e0649fc9

    SHA512

    0906aa058bcc01ea7f0d4c7b87f55148ab460315e34bb953b63d08f533beab2cd4bb4958f53c35b7f832197c68c9cc1cb62d129e89048d3d9f832e51f047e70c

    Download Submit

  • C:\ProgramData\Saaaalamm\Mira.h
    Filesize

    136KB

    MD5

    cb4c442a26bb46671c638c794bf535af

    SHA1

    8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

    SHA256

    f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

    SHA512

    074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

    Download Submit

  • C:\ProgramData\ygjct.exe
    Filesize

    471KB

    MD5

    97dedeaa8b45172e90eb10217f6da6b7

    SHA1

    068ee2959066c1bcba4d73a30adc9e5b97063149

    SHA256

    2d1ccc1c125bbc55e882d153234bb89a0ce700f74b1e674fa60d496f3101fadf

    SHA512

    bb51119a1f750051afdedd1bfada39ea66fa64f51ef272388f5547d09a0c084ba3e02b15aefa9b55211b18803f6b1c4b76090060f8ee986ca084b80b7cb9f70b

    Download Submit

  • memory/3228-130-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3892-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3892-1-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3892-9-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.