Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    106s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 07:47 UTC

General

  • Target

    67d28588acd32fa9cfdc06fbce35b070N.exe

  • Size

    77KB

  • MD5

    67d28588acd32fa9cfdc06fbce35b070

  • SHA1

    4f0ffba70a0bd1eda260f7798c864621d8a7f3bf

  • SHA256

    632248ef0a282df697529b4e7c05fa40784ee9b26de3ca182e6f193306014256

  • SHA512

    6912aadbe01b49b754e88061b9d7fd84426254596d7e58fe09a753723b0068e63fc50096da3dfb5557f2b02f20594adc9225c1f15ccd45e201ad2540435d2954

  • SSDEEP

    1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1sin:X6a+SOtEvwDpjBZYvQd29

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67d28588acd32fa9cfdc06fbce35b070N.exe
    "C:\Users\Admin\AppData\Local\Temp\67d28588acd32fa9cfdc06fbce35b070N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:916

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-1.hugedomains.com
    traff-1.hugedomains.com
    IN CNAME
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    54.209.32.212
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    52.71.57.184
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=28A03E6344776FEF008B2AB145CC6E97; domain=.bing.com; expires=Sat, 30-Aug-2025 07:47:05 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C328A6F572DF4C27ADF743F672682EC1 Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
    date: Mon, 05 Aug 2024 07:47:04 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=28A03E6344776FEF008B2AB145CC6E97
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=gBZhynLN_u4MvitniDJe1aIPmY0EU6b9vw7vjGdfcI8; domain=.bing.com; expires=Sat, 30-Aug-2025 07:47:05 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: ABF30BC9C98E4D438F380AF42C1DB73E Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
    date: Mon, 05 Aug 2024 07:47:04 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=28A03E6344776FEF008B2AB145CC6E97; MSPTC=gBZhynLN_u4MvitniDJe1aIPmY0EU6b9vw7vjGdfcI8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0B9ED01CCF16439F98A3E91A4644544A Ref B: LON04EDGE0913 Ref C: 2024-08-05T07:47:05Z
    date: Mon, 05 Aug 2024 07:47:04 GMT
  • flag-us
    DNS
    138.201.86.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.201.86.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.140.123.92.in-addr.arpa
    IN PTR
    Response
    24.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    260 B
    5
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=
    tls, http2
    2.0kB
    9.3kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=453696b8860e46f490d13e347ab5120b&localId=w:7D3940AF-3C75-1CBE-D2B7-F59822175060&deviceId=6966569430314798&anid=

    HTTP Response

    204
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    260 B
    5
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    260 B
    5
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    260 B
    5
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    260 B
    5
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    208 B
    4
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
    192 B
    1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    54.209.32.212
    52.71.57.184

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    138.201.86.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.201.86.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    24.140.123.92.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    24.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    78KB

    MD5

    e8f7327eb27a6e73a577f1253ff56198

    SHA1

    fc8df9a227c230cebdcdb54a5d2e69a7d90e74bb

    SHA256

    37a3f99d0f8d1808f84daa4dc79a69490feb3906eb3398cf62aa326257923abf

    SHA512

    f522731d33a7b048cd17f8d4bc650b981d26fb58559747eb814e33d9f447c07e22b87e9a70fc92b2ccd9245c93b97254c3cebf95daa0369041290b38fd25b0e8

  • memory/916-17-0x0000000002110000-0x0000000002116000-memory.dmp

    Filesize

    24KB

  • memory/916-23-0x00000000020E0000-0x00000000020E6000-memory.dmp

    Filesize

    24KB

  • memory/5012-0-0x0000000000670000-0x0000000000676000-memory.dmp

    Filesize

    24KB

  • memory/5012-1-0x0000000000670000-0x0000000000676000-memory.dmp

    Filesize

    24KB

  • memory/5012-2-0x0000000000690000-0x0000000000696000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.