Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 22:00 UTC

General

  • Target

    4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe

  • Size

    134KB

  • MD5

    003aa94b5d59d463ad71112c54a8d06c

  • SHA1

    03cbd26d4465c120ffb882947524aa49f5898dbb

  • SHA256

    4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2

  • SHA512

    30ae8f06f9f177b789b9db75c3469927daafe17c3c75974f24e4faaf1bbbf60c3b9257bd08e99720bd106143d7fb40dadcc6bd377a9ff041d4db583aeb45048d

  • SSDEEP

    1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qa:riAyLN9aa+9U2rW1ip6pr2At7NZuQa

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe
    "C:\Users\Admin\AppData\Local\Temp\4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\ProgramData\Update\WwanSvc.exe
      "C:\ProgramData\Update\WwanSvc.exe" /run
      2⤵
      • Executes dropped EXE
      PID:1996
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1976

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.58.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.58.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      25.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.14.97.104.in-addr.arpa
      IN PTR
      Response
      25.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      159.113.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      159.113.53.23.in-addr.arpa
      IN PTR
      Response
      159.113.53.23.in-addr.arpa
      IN PTR
      a23-53-113-159deploystaticakamaitechnologiescom
    • flag-us
      DNS
      41.173.79.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.173.79.40.in-addr.arpa
      IN PTR
      Response
    • 138.91.171.81:80
      260 B
      5
    • 158.69.115.115:443
      WwanSvc.exe
      260 B
      5
    • 13.107.253.64:443
      46 B
      40 B
      1
      1
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      101.58.20.217.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      101.58.20.217.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      25.14.97.104.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      25.14.97.104.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      159.113.53.23.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      159.113.53.23.in-addr.arpa

    • 8.8.8.8:53
      41.173.79.40.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      41.173.79.40.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Update\WwanSvc.exe

      Filesize

      134KB

      MD5

      2193a335abe96f7afbcea2c6d47f31da

      SHA1

      b944886f095f6c4c1bca8e559221742789321081

      SHA256

      f20c0382d5dc8dcf13a20cc0d28b9e757c59085f401d961bafecd7e2af00dda7

      SHA512

      a65e5a00b033a786915e65903b5587dd0c482e83b1989d3edc7ba6bf73678b37ddf085bbd9fbd2cd57d5bdec81ab1c43c8dc9d7c71594a5a3037e0e62319ddce

    • memory/1996-4-0x0000000000200000-0x0000000000228000-memory.dmp

      Filesize

      160KB

    • memory/1996-7-0x0000000000200000-0x0000000000228000-memory.dmp

      Filesize

      160KB

    • memory/5112-0-0x0000000000200000-0x0000000000228000-memory.dmp

      Filesize

      160KB

    • memory/5112-6-0x0000000000200000-0x0000000000228000-memory.dmp

      Filesize

      160KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.