Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5fb6dbac85...e9.exe

windows7-x64

7

5fb6dbac85...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 06:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fb6dbac85c623a77961b5f68a7e08ebd8882fe1e005a1aec831ecc126c531e9.exe

  • Size

    77KB

  • MD5

    36166cbc220ff39eef3b119788a3b10e

  • SHA1

    697cfb3994ea7f7b37ffc3c8707ef91c5513c9d9

  • SHA256

    5fb6dbac85c623a77961b5f68a7e08ebd8882fe1e005a1aec831ecc126c531e9

  • SHA512

    bc5684f58212b0389b10c2a4e920eb38435044712ddcea103b5cd4c9691951c3820dd38f8210b995b4dca4e4c3f97a74aca1e8b93a60dd7e750172aec01613c5

  • SSDEEP

    768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWO27:RshfSWHHNvoLqNwDDGw02eQmh0HjWOZ8

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fb6dbac85c623a77961b5f68a7e08ebd8882fe1e005a1aec831ecc126c531e9.exe
    "C:\Users\Admin\AppData\Local\Temp\5fb6dbac85c623a77961b5f68a7e08ebd8882fe1e005a1aec831ecc126c531e9.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

  • flag-us
    DNS
    www.zigui.org
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    www.zigui.org
    IN A
    Response
    www.zigui.org
    IN A
    103.251.237.123
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 103.251.237.123:80
    www.zigui.org
    rundll32.exe
    260 B
     5
  • 8.8.8.8:53
    www.zigui.org
    dns
    rundll32.exe
    59 B
     75 B
     1
    1

    DNS Request

    www.zigui.org

    DNS Response

    103.251.237.123

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    75KB

    MD5

    1c0d6999f75527bc717d8081f5dbf44d

    SHA1

    ee6880aa7d2fa6b96921216ccd12c12bc04a62a0

    SHA256

    eb0126eb91131bad90d11e28ce2bcf5634013ab3950539032a4ac7dcee3f12bc

    SHA512

    0f4935dc1687524ffabb45d5d73f0a0b5a98f126e724e657a752d0c73f8a786fe3011fc60936a86af7812b849973a21dcc687864c57b51ebd1e0ea0b6689bd3a

    Download Submit

  • C:\Windows\System\rundll32.exe
    Filesize

    83KB

    MD5

    963f2b06817e1af58f7b1fdbd58c9e75

    SHA1

    8e4f76cea602b376a24792542f6ed2b27f4d9cf8

    SHA256

    40b7099d59cc6a75e3a6417aa376f997d8a477cd44e2cabc58ee7113affda4dc

    SHA512

    309b794cb57fac574815c67c4f81d1dbf7388baeae649643400e522772f3fd349499a13bf0a6036c77e7bf4bf004c6ba50f7dfb6ee47a8421b5fd4d75ea5602a

    Download Submit

  • memory/3748-0-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

    Download

  • memory/3748-13-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.