Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 07:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
67d28588acd32fa9cfdc06fbce35b070N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
67d28588acd32fa9cfdc06fbce35b070N.exe
Resource
win10v2004-20240802-en
General
-
Target
67d28588acd32fa9cfdc06fbce35b070N.exe
-
Size
77KB
-
MD5
67d28588acd32fa9cfdc06fbce35b070
-
SHA1
4f0ffba70a0bd1eda260f7798c864621d8a7f3bf
-
SHA256
632248ef0a282df697529b4e7c05fa40784ee9b26de3ca182e6f193306014256
-
SHA512
6912aadbe01b49b754e88061b9d7fd84426254596d7e58fe09a753723b0068e63fc50096da3dfb5557f2b02f20594adc9225c1f15ccd45e201ad2540435d2954
-
SSDEEP
1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1sin:X6a+SOtEvwDpjBZYvQd29
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 67d28588acd32fa9cfdc06fbce35b070N.exe -
Executes dropped EXE 1 IoCs
pid Process 916 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67d28588acd32fa9cfdc06fbce35b070N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 916 5012 67d28588acd32fa9cfdc06fbce35b070N.exe 85 PID 5012 wrote to memory of 916 5012 67d28588acd32fa9cfdc06fbce35b070N.exe 85 PID 5012 wrote to memory of 916 5012 67d28588acd32fa9cfdc06fbce35b070N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d28588acd32fa9cfdc06fbce35b070N.exe"C:\Users\Admin\AppData\Local\Temp\67d28588acd32fa9cfdc06fbce35b070N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916
-
Network
-
Remote address:8.8.8.8:53Requestemrlogistics.comIN AResponseemrlogistics.comIN CNAMEtraff-1.hugedomains.comtraff-1.hugedomains.comIN CNAMEhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A54.209.32.212hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A52.71.57.184
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=28A03E6344776FEF008B2AB145CC6E97; domain=.bing.com; expires=Sat, 30-Aug-2025 07:47:05 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C328A6F572DF4C27ADF743F672682EC1 Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
date: Mon, 05 Aug 2024 07:47:04 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28A03E6344776FEF008B2AB145CC6E97
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=gBZhynLN_u4MvitniDJe1aIPmY0EU6b9vw7vjGdfcI8; domain=.bing.com; expires=Sat, 30-Aug-2025 07:47:05 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ABF30BC9C98E4D438F380AF42C1DB73E Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
date: Mon, 05 Aug 2024 07:47:04 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28A03E6344776FEF008B2AB145CC6E97; MSPTC=gBZhynLN_u4MvitniDJe1aIPmY0EU6b9vw7vjGdfcI8
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0B9ED01CCF16439F98A3E91A4644544A Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
date: Mon, 05 Aug 2024 07:47:04 GMT
-
Remote address:8.8.8.8:53Request138.201.86.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.140.123.92.in-addr.arpaIN PTRResponse24.140.123.92.in-addr.arpaIN PTRa92-123-140-24deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
62 B 192 B 1 1
DNS Request
emrlogistics.com
DNS Response
54.209.32.21252.71.57.184
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.201.86.20.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
24.140.123.92.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5e8f7327eb27a6e73a577f1253ff56198
SHA1fc8df9a227c230cebdcdb54a5d2e69a7d90e74bb
SHA25637a3f99d0f8d1808f84daa4dc79a69490feb3906eb3398cf62aa326257923abf
SHA512f522731d33a7b048cd17f8d4bc650b981d26fb58559747eb814e33d9f447c07e22b87e9a70fc92b2ccd9245c93b97254c3cebf95daa0369041290b38fd25b0e8