Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 09:42 UTC

General

  • Target

    426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe

  • Size

    652KB

  • MD5

    a8b9734365073ce340b1123741d71abd

  • SHA1

    ba40a124883de4244aa8c1c389e94ddb9fddead6

  • SHA256

    426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18

  • SHA512

    0f34f2c85ea88f4a6b440889df26087036a8802d8ea04ba3a5a1ec3db4745007806778aa24a1b45bb2db1902b841fd35099081b55daa9576d2b79e5636eaa76a

  • SSDEEP

    12288:8Mrcy9031jOhVjzy5AfppTmgmbdSqEfEFoGeKaHsUPkiD:AysWVfySppTmgcjqftrPkiD

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe
    "C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4532
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3400

    Network

    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      144.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      144.107.17.2.in-addr.arpa
      IN PTR
      Response
      144.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-144deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-nl
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      23.62.61.171:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Thu, 23 May 2024 09:42:47 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.a73d3e17.1716457367.2d61ad87
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.61.62.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.61.62.23.in-addr.arpa
      IN PTR
      Response
      171.61.62.23.in-addr.arpa
      IN PTR
      a23-62-61-171deploystaticakamaitechnologiescom
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      17.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.14.97.104.in-addr.arpa
      IN PTR
      Response
      17.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-17deploystaticakamaitechnologiescom
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 23.62.61.171:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.4kB
      6.3kB
      16
      11

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      144.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      144.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      14.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      171.61.62.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      171.61.62.23.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      17.14.97.104.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      17.14.97.104.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe

      Filesize

      31KB

      MD5

      61b6b786efacea6912a815b7692dac72

      SHA1

      5a864261a958ba9355d0fa20741e149f70a7918d

      SHA256

      99f45274606fe0acdf6c4bddbe53bdb8a3fd4a329bea222426e0a1547a8ff61d

      SHA512

      164e3de7001b6a7c8cfe1694cc7d3fbf43e69a9d6bf31c30b411acf22bfb98e00dd8491eba9a754172069fc2edd0be59ea39ce489ebe6553f11ef07bcb6c5f3e

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe

      Filesize

      528KB

      MD5

      f96632ad5ee676201c55b0218382157e

      SHA1

      2f57c77ea32769b52924056899028fbfb5aa4a12

      SHA256

      753e3b49d354b22afb771940598e5a459d157140c496fff1874e978755ff0325

      SHA512

      0dc9730fb1210a5cbfcd435f6a6a50d5920f6d8c9ef128919b5d53192ff5ae86a054c208bb248c2cb72caa64dd5ea853cc7429bf3dbaa06259f97f0699187a11

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe

      Filesize

      869KB

      MD5

      90a7fb448ebb8f342918c8650dd05df5

      SHA1

      d0bcec2d5576a34be3f4c0fd5f0bcdfdb94a29d5

      SHA256

      3701b6e633b701ec911cb1ba0cc786e848a4a35d062355edfa5799a3548ce78d

      SHA512

      c5e7a143fe61af01681a4b1cd5930f72dff03b88727252f655224c07619fc397be57a5662d65a2a4c46f6edd9561e84433823201b7d0478b184b4ccf8ed799c5

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe

      Filesize

      1.0MB

      MD5

      7325f35f9a59903a210a5c41c2c74e67

      SHA1

      25ed8bda08cb3b91633641f6bab9e1e73b3460b9

      SHA256

      98891268879a8e945effc53f4d65e4d9b623d2088b2fc2b34676ebffe039d7bf

      SHA512

      c73dc673eaba673f542689e21b9811c36f13ec84cf7a4690d89b79a6a7102c4e281e6b2b45153f83ae9b23a8b0177d6d0868fc37d21ac14a2402aa3eed29acfb

    • memory/3400-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3400-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/4500-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/4532-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4532-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4532-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.