Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

cryptolaemus

windows10-2004-x64

7

cryptolaemus

windows11-21h2-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 08:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe

  • Size

    266KB

  • MD5

    3cafb0f6b49ae45406bcb94889398692

  • SHA1

    79b7dbf7cb0d99dd4f58cb5223d72544d498545b

  • SHA256

    b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623

  • SHA512

    8a0cbed89420a424e9046e7cb8e0f5fc293e066e2b1aceabb692158664f739f696a84a8a2975b917677ad1fdb66141a41381b3ab19aa457a1da607183cc24afa

  • SSDEEP

    3072:1NXEGZJWhfNFC4S60+XoLczrVmXKnywJoxZmHA1FLL5r6jQ6yGl1lb9H01ne4PK:TXzKdNY49u8rV1Jm441Gl501net

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe
    "C:\Users\Admin\AppData\Local\Temp\b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
      "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
      "C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
      2⤵
      • Executes dropped EXE
      PID:2872
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4864

    Network

    • flag-us
      DNS
      www.programworkshop.com
      b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe
      Remote address:
      8.8.8.8:53
      Request
      www.programworkshop.com
      IN A
      Response
      www.programworkshop.com
      IN A
      161.47.163.214
    • flag-us
      GET
      http://www.programworkshop.com/sbrowser/ws/getconfiguration.aspx?agentidentifier=wincsecb&programid=264&environment=production&starturl=ahr0chm6ly9ldgvzdhnvbmxpbmuub3jnl2h0bww1lymvvgvzdexvz2lul0xvz2lulya=&shortcut=0&cmd=download&sc=0cd898db665ede681f83200836a09aa8593fc92a/
      b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe
      Remote address:
      161.47.163.214:80
      Request
      GET /sbrowser/ws/getconfiguration.aspx?agentidentifier=wincsecb&programid=264&environment=production&starturl=ahr0chm6ly9ldgvzdhnvbmxpbmuub3jnl2h0bww1lymvvgvzdexvz2lul0xvz2lulya=&shortcut=0&cmd=download&sc=0cd898db665ede681f83200836a09aa8593fc92a/ HTTP/1.1
      User-Agent: /DownloadSecureBrowser
      Host: www.programworkshop.com
      Response
      HTTP/1.1 403 Url not valid
      Cache-Control: private
      Content-Type: text/html
      From: ILP02
      p3p: CP="ALL DSP COR CURa ADMo DEVa TAIa CONi OUR DELa STP BUS PHY ONL UNI PUR COM NAV DEM STA"
      Date: Tue, 21 May 2024 08:38:05 GMT
      Content-Length: 1233
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      147.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      147.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      214.163.47.161.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      214.163.47.161.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.202
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      172.217.169.42
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 21 May 2024 08:07:28 GMT
      Expires: Tue, 21 May 2024 08:57:28 GMT
      Cache-Control: public, max-age=3000
      Age: 1859
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 21 May 2024 08:02:11 GMT
      Expires: Tue, 21 May 2024 08:52:11 GMT
      Cache-Control: public, max-age=3000
      Age: 2176
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 21 May 2024 08:14:35 GMT
      Expires: Tue, 21 May 2024 09:04:35 GMT
      Cache-Control: public, max-age=3000
      Age: 1432
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      42.200.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      42.200.250.142.in-addr.arpa
      IN PTR
      Response
      42.200.250.142.in-addr.arpa
      IN PTR
      lhr48s30-in-f101e100net
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.143.123.92.in-addr.arpa
      IN PTR
      Response
      241.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-241deploystaticakamaitechnologiescom
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      3.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 161.47.163.214:80
      http://www.programworkshop.com/sbrowser/ws/getconfiguration.aspx?agentidentifier=wincsecb&programid=264&environment=production&starturl=ahr0chm6ly9ldgvzdhnvbmxpbmuub3jnl2h0bww1lymvvgvzdexvz2lul0xvz2lulya=&shortcut=0&cmd=download&sc=0cd898db665ede681f83200836a09aa8593fc92a/
      http
      b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe
      701 B
       1.7kB
       8
      5

      HTTP Request

      GET http://www.programworkshop.com/sbrowser/ws/getconfiguration.aspx?agentidentifier=wincsecb&programid=264&environment=production&starturl=ahr0chm6ly9ldgvzdhnvbmxpbmuub3jnl2h0bww1lymvvgvzdexvz2lul0xvz2lulya=&shortcut=0&cmd=download&sc=0cd898db665ede681f83200836a09aa8593fc92a/

      HTTP Response

      403
    • 142.250.200.42:443
      chromewebstore.googleapis.com
      tls
      1.0kB
       5.2kB
       8
      8
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
       6.1kB
       10
      10

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 8.8.8.8:53
      www.programworkshop.com
      dns
      b3da759710cc624008762706b148e9dd25c58d4544950d69e4ee421e6eb7b623.exe
      69 B
       85 B
       1
      1

      DNS Request

      www.programworkshop.com

      DNS Response

      161.47.163.214

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      147.177.190.20.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      147.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      214.163.47.161.in-addr.arpa
      dns
      73 B
       136 B
       1
      1

      DNS Request

      214.163.47.161.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       299 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      142.250.200.42
      216.58.201.106
      216.58.204.74
      172.217.169.10
      216.58.212.202
      216.58.212.234
      172.217.169.42
      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       128 B
       1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      42.200.250.142.in-addr.arpa
      dns
      73 B
       112 B
       1
      1

      DNS Request

      42.200.250.142.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      241.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      241.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      3.173.189.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      3.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
      Filesize

      87KB

      MD5

      368332fca74f48697d842c5f4698ae1d

      SHA1

      0275153a1e62bd0eca0b02168895517ed66aac56

      SHA256

      3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59

      SHA512

      fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5

      Download Submit

    • memory/5064-0-0x00000000002B0000-0x0000000000350000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5064-10-0x00000000002B0000-0x0000000000350000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5064-11-0x00000000002B0000-0x0000000000350000-memory.dmp

      Filesize

      640KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.