Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

dadeng.org...4.html

windows7-x64

1

dadeng.org...4.html

windows10-2004-x64

1

dadeng.org...nd.ps1

windows7-x64

3

dadeng.org...nd.ps1

windows10-2004-x64

3

dadeng.org...ns.ps1

windows7-x64

3

dadeng.org...ns.ps1

windows10-2004-x64

3

dadeng.org...me.ps1

windows7-x64

3

dadeng.org...me.ps1

windows10-2004-x64

3

dadeng.org...ass.js

windows7-x64

3

dadeng.org...ass.js

windows10-2004-x64

3

dadeng.org...ass.js

windows7-x64

3

dadeng.org...ass.js

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

dadeng.org...ass.js

windows7-x64

3

dadeng.org...ass.js

windows10-2004-x64

3

dadeng.org...ss.ps1

windows7-x64

3

dadeng.org...ss.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 20:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dadeng.org-v0.6/ThinkPHP/Lib/Think/Db/Db.class.ps1

  • Size

    38KB

  • MD5

    a70087b1b7d07b526c7b3e3f7475de5f

  • SHA1

    ad4bb876094da65e2b394cb54941a544f14b12ca

  • SHA256

    eac0235a34bbab771d981d993492a690b87b5d95ebf88bee31759b45b2719445

  • SHA512

    1fc2252a30a6f6fe65e6aa28f9b44ac7431b074b4e2f21f35866f5c8892ca9b1ffc409ea36e1f873ef4f1c61da010f092bd215eea19bf9216e1f0a5026c039f9

  • SSDEEP

    768:uSnz7F1+VzE3Eh8jlDr2oBY/ZUl2CRg8yxGJfYw9:uMzJCeDr2oBUZC2CRfyxGJfd9

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dadeng.org-v0.6\ThinkPHP\Lib\Think\Db\Db.class.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=143E6268CDD26C82313E76DFCC326DF9; domain=.bing.com; expires=Sun, 03-Aug-2025 03:20:01 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 24A46F1D1B8B4D5F9B0287AF3F3A9FC9 Ref B: LON04EDGE1120 Ref C: 2024-07-09T03:20:01Z
    date: Tue, 09 Jul 2024 03:20:00 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=143E6268CDD26C82313E76DFCC326DF9
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=LZd7dd68YMaqZr8xCxK4SdpUTCTElGjvMSMPJPituhA; domain=.bing.com; expires=Sun, 03-Aug-2025 03:20:01 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 88C4D7DE83D34B949F7BC8E5B46CE712 Ref B: LON04EDGE1120 Ref C: 2024-07-09T03:20:01Z
    date: Tue, 09 Jul 2024 03:20:00 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=143E6268CDD26C82313E76DFCC326DF9; MSPTC=LZd7dd68YMaqZr8xCxK4SdpUTCTElGjvMSMPJPituhA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7D32F86612B64664AB63667B68E264DA Ref B: LON04EDGE1120 Ref C: 2024-07-09T03:20:01Z
    date: Tue, 09 Jul 2024 03:20:00 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=25ee56a298eb4d3d9f129e718a2685e9&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    100.58.20.217.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    100.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpc1ix4i.djk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2844-0-0x00007FF800373000-0x00007FF800375000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2844-2-0x00007FF800370000-0x00007FF800E31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2844-7-0x0000026241770000-0x0000026241792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2844-14-0x00007FF800370000-0x00007FF800E31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2844-15-0x00007FF800370000-0x00007FF800E31000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.