Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 13:34 UTC

General

  • Target

    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe

  • Size

    6.4MB

  • MD5

    8947f3e99f8e87418cfa12b68df1d517

  • SHA1

    24eb725c90c62edad45439321392aa8a13aef65f

  • SHA256

    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e

  • SHA512

    8c8c907f8444eaaf6aa6242d3228115f8456ff825af84ecb5a215a233f1df2dfab11ce8c879f8e528038a0e317f37783d94dc23db9254015fc829602fddad082

  • SSDEEP

    98304:29TuOQrltBAFyj6z5vlcDJ5oYOkm/SsptqSpzzOKNt:29aTrlTEyOplc9DOtvtX9nNt

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    "C:\Users\Admin\AppData\Local\Temp\624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:1740

Network

  • flag-us
    DNS
    neincl19pn.top
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    Remote address:
    8.8.8.8:53
    Request
    neincl19pn.top
    IN A
    Response
    neincl19pn.top
    IN A
    172.67.168.197
    neincl19pn.top
    IN A
    104.21.54.175
  • flag-us
    POST
    http://neincl19pn.top/v1/upload.php
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    Remote address:
    172.67.168.197:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary85523871
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 413
    Host: neincl19pn.top
    Response
    HTTP/1.1 200 OK
    Date: Mon, 19 Aug 2024 13:34:56 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uR7s6JY9DsE3uqi2ErPV%2B4t7dnmPB0kLHBPVXkzvOyZyMsvxI6RI%2FkrgCfhaQChQv%2F8N72XoHFlxEM%2FdU6XvBGz8LQp51E1jvKsm5j%2F8CCmHXPemOS2SFd6kg1T7YL33vw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b5a861fee06459b-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    POST
    http://neincl19pn.top/v1/upload.php
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    Remote address:
    172.67.168.197:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary72859479
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 58855
    Host: neincl19pn.top
  • flag-us
    POST
    http://neincl19pn.top/v1/upload.php
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    Remote address:
    172.67.168.197:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary72859479
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 58855
    Host: neincl19pn.top
    Response
    HTTP/1.1 200 OK
    Date: Mon, 19 Aug 2024 13:35:20 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UTZjTdNOb%2Fcm5uLB8hp0bXRP5AzHrMrvGxSMr9LbXfIqYHdRIxk0K1XKOlYoaXYHJGl0Opy0NqlyB1hDbaNteb1UXuaa3tF4vqu0LPiQmhCEs7mI7ODnFz8beYhGVeSWYA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b5a86a9b9ac48c4-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    POST
    http://neincl19pn.top/v1/upload.php
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    Remote address:
    172.67.168.197:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary14160866
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 30517
    Host: neincl19pn.top
    Response
    HTTP/1.1 200 OK
    Date: Mon, 19 Aug 2024 13:35:30 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2FKg70RAcgxDwiSJ7WulCBrVGELWR1uG7tsrGHh9SlAHUnHusn7f6OnUyDLJ3bYewJcQ%2FR3wxz8%2FG%2B4RTJB0rV6tU3hdYBD2SC%2F%2Bp5V4%2F9s6h%2FByPUp7iJjgUk8xYFC56A%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b5a86f4ecce48c4-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.168.197:80
    http://neincl19pn.top/v1/upload.php
    http
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    34.4kB
    1.2kB
    32
    13

    HTTP Request

    POST http://neincl19pn.top/v1/upload.php

    HTTP Response

    200

    HTTP Request

    POST http://neincl19pn.top/v1/upload.php
  • 172.67.168.197:80
    http://neincl19pn.top/v1/upload.php
    http
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    148.2kB
    5.0kB
    116
    58

    HTTP Request

    POST http://neincl19pn.top/v1/upload.php

    HTTP Response

    200

    HTTP Request

    POST http://neincl19pn.top/v1/upload.php

    HTTP Response

    200
  • 8.8.8.8:53
    neincl19pn.top
    dns
    624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
    60 B
    92 B
    1
    1

    DNS Request

    neincl19pn.top

    DNS Response

    172.67.168.197
    104.21.54.175

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1740-0-0x0000000000400000-0x000000000106B000-memory.dmp

    Filesize

    12.4MB

  • memory/1740-1-0x0000000000400000-0x000000000106B000-memory.dmp

    Filesize

    12.4MB

  • memory/1740-3-0x0000000000400000-0x000000000106B000-memory.dmp

    Filesize

    12.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.