Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

sdsetup.exe

windows7-x64

6

sdsetup.exe

windows10-2004-x64

6

新云软件.url

windows7-x64

1

新云软件.url

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 21:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sdsetup.exe

  • Size

    500KB

  • MD5

    1526581b563522975fdfa678add1b749

  • SHA1

    a8dbdc433279d7ed615e24af364a6e1ce08b3158

  • SHA256

    c46653133e431997f754b585d11d18be73fc0774b877a511ac576c2659742bda

  • SHA512

    2170bf620fc4a3ca206168316b31d2ddeef119eecf5bcdbb027e11ad04d8033e9dbdc9b4a89f575fe7b92ed47b09862bb024748ea41474f22cf930041b447db8

  • SSDEEP

    6144:edsn3VUsa5sSoGBpG8CgSFnQ3Begfftpi4YFhPTZ8DAxkmJIRGowR9:7lUs4no87SF16fKthPTZNxA+9

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sdsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\sdsetup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2524

Network

  • flag-us
    DNS
    su.pctools.com
    sdsetup.exe
    Remote address:
    8.8.8.8:53
    Request
    su.pctools.com
    IN A
    Response
  • flag-us
    DNS
    download.pctools.com
    sdsetup.exe
    Remote address:
    8.8.8.8:53
    Request
    download.pctools.com
    IN A
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=11B78C5E30316DD216D698E931166C7C; domain=.bing.com; expires=Sun, 03-Aug-2025 21:34:50 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EA524DFDA5744D81866CFF8FFA274914 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
    date: Tue, 09 Jul 2024 21:34:49 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=11B78C5E30316DD216D698E931166C7C
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=hJ8I-tEWv02oOe0IRu_hqvLRs4okUb8Pn6X_uOEBcto; domain=.bing.com; expires=Sun, 03-Aug-2025 21:34:50 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 22751C06A5C944B5B1E2432F0B9214E8 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
    date: Tue, 09 Jul 2024 21:34:49 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=11B78C5E30316DD216D698E931166C7C; MSPTC=hJ8I-tEWv02oOe0IRu_hqvLRs4okUb8Pn6X_uOEBcto
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5588E500F5C54AB3A93F53CFBDEFE2D9 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
    date: Tue, 09 Jul 2024 21:34:49 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.143.123.92.in-addr.arpa
    IN PTR
    Response
    233.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-233deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    84.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    su.pctools.com
    dns
    sdsetup.exe
    60 B
     60 B
     1
    1

    DNS Request

    su.pctools.com

  • 8.8.8.8:53
    download.pctools.com
    dns
    sdsetup.exe
    66 B
     66 B
     1
    1

    DNS Request

    download.pctools.com

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    233.143.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    233.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    84.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    84.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2524-0-0x0000000000400000-0x0000000000592000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2524-1-0x0000000000810000-0x0000000000813000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2524-3-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-4-0x0000000000400000-0x0000000000592000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2524-6-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.