Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/05/2024, 23:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe

  • Size

    4.5MB

  • MD5

    3f4ac40876eb79c202b6f2c0e74ceab2

  • SHA1

    8a9b592e912523eb1706e834a184a4c05b66aebf

  • SHA256

    87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a

  • SHA512

    ad306778d9e0200e56ea8078073f6ea0dfe2ade9893e753f8d95d96d22473bb74430debc2707b919df6c4280863ec2d332a2e453d94300d852f9b79f77a565e7

  • SSDEEP

    98304:m2lMhJhWnooZDUpYUSDig+2wsH8jrerMcmTFf4:/y7JoZDCYUSWO8jfcKf4

Score
10/10
socks5systemzbotnetdiscovery

Malware Config

Signatures

  • Detect Socks5Systemz Payload 1 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

    botnetsocks5systemz
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe
    "C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp" /SL5="$502FE,4458431,54272,C:\Users\Admin\AppData\Local\Temp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe
        "C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe" -i
        3⤵
        • Executes dropped EXE
        PID:3292
      • C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe
        "C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe" -s
        3⤵
        • Executes dropped EXE
        PID:924

Network

  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-hk
    DNS
    aanwnev.ru
    vaervideorecorder.exe
    Remote address:
    141.98.234.31:53
    Request
    aanwnev.ru
    IN A
    Response
    aanwnev.ru
    IN A
    79.110.49.184
  • flag-us
    DNS
    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa
    IN PTR
  • flag-us
    DNS
    31.234.98.141.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.234.98.141.in-addr.arpa
    IN PTR
    Response
    31.234.98.141.in-addr.arpa
    IN PTR
    cx21ip-ptrtech
  • flag-us
    DNS
    10.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.179.89.13.in-addr.arpa
    IN PTR
    Response
  • flag-hk
    DNS
    fifngrb.ru
    vaervideorecorder.exe
    Remote address:
    141.98.234.31:53
    Request
    fifngrb.ru
    IN A
    Response
    fifngrb.ru
    IN A
    45.155.250.229
  • flag-se
    GET
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    vaervideorecorder.exe
    Remote address:
    45.155.250.229:80
    Request
    GET /search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33 HTTP/1.1
    Host: fifngrb.ru
    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Thu, 30 May 2024 23:15:20 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
  • flag-us
    DNS
    229.250.155.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.250.155.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    145.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.83.221.88.in-addr.arpa
    IN PTR
    Response
    145.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-145deploystaticakamaitechnologiescom
  • flag-se
    GET
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    vaervideorecorder.exe
    Remote address:
    45.155.250.229:80
    Request
    GET /search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33 HTTP/1.1
    Host: fifngrb.ru
    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Thu, 30 May 2024 23:16:20 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
  • flag-se
    GET
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    vaervideorecorder.exe
    Remote address:
    45.155.250.229:80
    Request
    GET /search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33 HTTP/1.1
    Host: fifngrb.ru
    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Thu, 30 May 2024 23:17:21 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.33
  • 79.110.49.184:80
    aanwnev.ru
    vaervideorecorder.exe
    104 B
     2
  • 79.110.49.184:80
    aanwnev.ru
    vaervideorecorder.exe
    104 B
     2
  • 79.110.49.184:80
    aanwnev.ru
    vaervideorecorder.exe
    104 B
     2
  • 45.155.250.229:80
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    http
    vaervideorecorder.exe
    593 B
     392 B
     6
    4

    HTTP Request

    GET http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33

    HTTP Response

    200
  • 45.155.250.229:80
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    http
    vaervideorecorder.exe
    593 B
     392 B
     6
    4

    HTTP Request

    GET http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33

    HTTP Response

    200
  • 45.155.250.229:80
    http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33
    http
    vaervideorecorder.exe
    501 B
     352 B
     4
    3

    HTTP Request

    GET http://fifngrb.ru/search/?q=67e28dd8645fa72f495daa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff810c1ef9d9b33

    HTTP Response

    200
  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 141.98.234.31:53
    aanwnev.ru
    dns
    vaervideorecorder.exe
    56 B
     82 B
     1
    1

    DNS Request

    aanwnev.ru

    DNS Response

    79.110.49.184

  • 8.8.8.8:53
    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa
    dns
    236 B
     182 B
     2
    1

    DNS Request

    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa

    DNS Request

    0.0.7.0.0.0.0.0.0.0.1.0.b.a.8.b.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa

  • 8.8.8.8:53
    31.234.98.141.in-addr.arpa
    dns
    72 B
     102 B
     1
    1

    DNS Request

    31.234.98.141.in-addr.arpa

  • 8.8.8.8:53
    10.179.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    10.179.89.13.in-addr.arpa

  • 141.98.234.31:53
    fifngrb.ru
    dns
    vaervideorecorder.exe
    56 B
     82 B
     1
    1

    DNS Request

    fifngrb.ru

    DNS Response

    45.155.250.229

  • 8.8.8.8:53
    229.250.155.45.in-addr.arpa
    dns
    73 B
     136 B
     1
    1

    DNS Request

    229.250.155.45.in-addr.arpa

  • 8.8.8.8:53
    145.83.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    145.83.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-INPG5.tmp\87a2b6d8e9f3e20bc5a2fd66e551a7add5604ebe69fe7e9d354901c4d82b311a.tmp
    Filesize

    680KB

    MD5

    47d9bbe70b5142eecee1594b8283ebd6

    SHA1

    a23ad785865f2f40d20ff7ccd317e46f7325a104

    SHA256

    bbfcaecc64b36dcb118ba9136246dfd943f3b70812c6a949f9b507a46282dbc3

    SHA512

    b38d94d48eb44beb404d9a7577a37968bcd181c2855f88e9909d12bdc9891a18f7a6229c588ec508e36ee46b62ebe255f00ba8b8368569acebee29b48ecfc8d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Vaer Video Recorder\vaervideorecorder.exe
    Filesize

    2.6MB

    MD5

    61fba91a41d52c314f742ea51162afef

    SHA1

    ae6c3086f5e6a142e8cd8db1b2a3ce159099d872

    SHA256

    be28a09fc83afbe7da0b7af8910e76ff09b6e570a71a65b05e31ede2b2da860f

    SHA512

    2e31392a2249fbad79be1cac235af329f4869acc02209befe93f7d5037ee7655ca33fc26439f30700ed48c2ccdb0b9187d54f8f796f123075aaec3eba000199f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-SR1QO.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • memory/924-107-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-110-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-129-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-126-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-123-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-119-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-66-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-116-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-113-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-70-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-73-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-76-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-79-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-82-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-92-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-101-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-85-0x0000000000910000-0x00000000009B2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/924-95-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-98-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-87-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/924-104-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1268-1-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1268-68-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1268-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3292-64-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3292-60-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3292-59-0x0000000000400000-0x00000000006A8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4596-13-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/4596-69-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.