Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

porn.exe

windows7-x64

1

porn.exe

windows10-2004-x64

1

Resubmissions

22/08/2024, 22:17 UTC

240822-17cpsashrq 3

22/08/2024, 22:14 UTC

240822-15pxbs1alf 3

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 22:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    porn.exe

  • Size

    1.4MB

  • MD5

    23ae8a019fcc2c7121039a875337ec12

  • SHA1

    5e7931ab65d93e51bd456f1af40e4565f6d9ef8d

  • SHA256

    0347cebe09dcadf49e0472633e9be579f0e1fbbb995bb8ecb226588bff3e1d2c

  • SHA512

    5d6f96d98e47fc37e0cacab29770b9b11c3495d9d95072c042c52abaafe6fe5defbacb8e419af9d39fd758fa3e12c852f88e20484a88fe7d47cc889d26454699

  • SSDEEP

    24576:E6qsgabtl9T8Nx6AQ8DSoRPm/Rwn4o60OegX7Aozptl72NkoV:is9bnuNzv+DenO0Ervzd2Nkw

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\porn.exe
    "C:\Users\Admin\AppData\Local\Temp\porn.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\porn.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\porn.exe" MD5
        3⤵
          PID:2460
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2296
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2484

        Network

        • flag-us
          DNS
          keyauth.win
          porn.exe
          Remote address:
          8.8.8.8:53
          Request
          keyauth.win
          IN A
          Response
          keyauth.win
          IN A
          104.26.0.5
          keyauth.win
          IN A
          172.67.72.57
          keyauth.win
          IN A
          104.26.1.5
        • flag-us
          POST
          https://keyauth.win/api/1.2/
          porn.exe
          Remote address:
          104.26.0.5:443
          Request
          POST /api/1.2/ HTTP/1.1
          Host: keyauth.win
          Accept: */*
          Content-Length: 132
          Content-Type: application/x-www-form-urlencoded
          Response
          HTTP/1.1 200 OK
          Date: Thu, 22 Aug 2024 22:17:17 GMT
          Content-Type: application/json; charset=UTF-8
          Content-Length: 426
          Connection: keep-alive
          signature: 9502b8b4bd83c7896b23abe713d4e934701e87b3a0ff052d3e65d2ce21df0118
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JvqHfIeXIcPT5jFwmlRBQwpjhCeTPLCXh8loiycsEUiptsO19%2FQ8Q%2BYnSFnBivZKT6KNbFWmORrjKHBqPB59RaLSMCt8WevIp4JGma%2BY1A1%2BIS9DglT17Q2l%2BNSh"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Acknowledge: Credit to VaultCord.com
          X-Powered-By: VaultCord.com
          content-security-policy: upgrade-insecure-requests
          permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
          referrer-policy: strict-origin-when-cross-origin
          strict-transport-security: max-age=31536000; includeSubDomains
          x-content-security-policy: img-src *; media-src * data:;
          x-content-type-options: nosniff
          x-frame-options: DENY
          x-xss-protection: 1; mode=block
          Access-Control-Allow-Headers: *
          Access-Control-Allow-Methods: *
          Access-Control-Allow-Origin: *
          Server: cloudflare
          CF-RAY: 8b763b6ccea463f4-LHR
        • flag-us
          DNS
          apps.identrust.com
          Remote address:
          8.8.8.8:53
          Request
          apps.identrust.com
          IN A
          Response
          apps.identrust.com
          IN CNAME
          identrust.edgesuite.net
          identrust.edgesuite.net
          IN CNAME
          a1952.dscq.akamai.net
          a1952.dscq.akamai.net
          IN A
          2.18.190.72
          a1952.dscq.akamai.net
          IN A
          2.18.190.80
        • flag-gb
          GET
          http://apps.identrust.com/roots/dstrootcax3.p7c
          Remote address:
          2.18.190.72:80
          Request
          GET /roots/dstrootcax3.p7c HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/6.1
          Host: apps.identrust.com
          Response
          HTTP/1.1 200 OK
          X-XSS-Protection: 1; mode=block
          X-Frame-Options: SAMEORIGIN
          X-Content-Type-Options: nosniff
          X-Robots-Tag: noindex
          Referrer-Policy: same-origin
          Last-Modified: Wed, 08 Feb 2023 16:52:56 GMT
          ETag: "37d-5f433188daa00"
          Accept-Ranges: bytes
          Content-Length: 893
          X-Content-Type-Options: nosniff
          X-Frame-Options: sameorigin
          Content-Type: application/pkcs7-mime
          Cache-Control: max-age=3600
          Expires: Thu, 22 Aug 2024 23:17:11 GMT
          Date: Thu, 22 Aug 2024 22:17:11 GMT
          Connection: keep-alive
        • flag-us
          POST
          https://keyauth.win/api/1.2/
          porn.exe
          Remote address:
          104.26.0.5:443
          Request
          POST /api/1.2/ HTTP/1.1
          Host: keyauth.win
          Accept: */*
          Content-Length: 66
          Content-Type: application/x-www-form-urlencoded
          Response
          HTTP/1.1 200 OK
          Date: Thu, 22 Aug 2024 22:17:18 GMT
          Content-Type: application/json; charset=UTF-8
          Content-Length: 101
          Connection: keep-alive
          signature: 59e11597524048a699505fcd76e78aa8f24750153b6c894ce6d85c3341e56604
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=loHLIUmB5KWZ%2FKLEHA4GtqoCDHy2OmAAvRt8vTWS4LzY%2B4Dq0vME3QeVWn8eHKOsLHGwGeAoJS78%2BHh%2B5Rv41I0iGAhuRBvW5P5EVaZwS8qOeRFZ3s08bc1XICqy"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Acknowledge: Credit to VaultCord.com
          X-Powered-By: VaultCord.com
          content-security-policy: upgrade-insecure-requests
          permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
          referrer-policy: strict-origin-when-cross-origin
          strict-transport-security: max-age=31536000; includeSubDomains
          x-content-security-policy: img-src *; media-src * data:;
          x-content-type-options: nosniff
          x-frame-options: DENY
          x-xss-protection: 1; mode=block
          Access-Control-Allow-Headers: *
          Access-Control-Allow-Methods: *
          Access-Control-Allow-Origin: *
          Server: cloudflare
          CF-RAY: 8b763b6ee84c63b4-LHR
        • flag-us
          DNS
          crl.microsoft.com
          Remote address:
          8.8.8.8:53
          Request
          crl.microsoft.com
          IN A
          Response
          crl.microsoft.com
          IN CNAME
          crl.www.ms.akadns.net
          crl.www.ms.akadns.net
          IN CNAME
          a1363.dscg.akamai.net
          a1363.dscg.akamai.net
          IN A
          2.18.190.71
          a1363.dscg.akamai.net
          IN A
          2.18.190.80
        • flag-gb
          GET
          http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
          Remote address:
          2.18.190.71:80
          Request
          GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
          User-Agent: Microsoft-CryptoAPI/6.1
          Host: crl.microsoft.com
          Response
          HTTP/1.1 200 OK
          Content-Length: 1036
          Content-Type: application/octet-stream
          Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
          Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
          ETag: 0x8DCA14B323B2CC0
          Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
          x-ms-request-id: a4477661-c01e-0047-59b2-e33cb1000000
          x-ms-version: 2009-09-19
          x-ms-lease-status: unlocked
          x-ms-blob-type: BlockBlob
          Date: Thu, 22 Aug 2024 22:17:46 GMT
          Connection: keep-alive
        • 104.26.0.5:443
          https://keyauth.win/api/1.2/
          tls, http
          porn.exe
          1.7kB
           6.3kB
           13
          11

          HTTP Request

          POST https://keyauth.win/api/1.2/

          HTTP Response

          200
        • 2.18.190.72:80
          http://apps.identrust.com/roots/dstrootcax3.p7c
          http
          369 B
           1.6kB
           5
          4

          HTTP Request

          GET http://apps.identrust.com/roots/dstrootcax3.p7c

          HTTP Response

          200
        • 127.0.0.1:49187
          porn.exe
        • 127.0.0.1:49189
          porn.exe
        • 104.26.0.5:443
          https://keyauth.win/api/1.2/
          tls, http
          porn.exe
          821 B
           5.8kB
           7
          8

          HTTP Request

          POST https://keyauth.win/api/1.2/

          HTTP Response

          200
        • 127.0.0.1:49195
          porn.exe
        • 127.0.0.1:49197
          porn.exe
        • 2.18.190.71:80
          http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
          http
          399 B
           1.7kB
           4
          4

          HTTP Request

          GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

          HTTP Response

          200
        • 8.8.8.8:53
          keyauth.win
          dns
          porn.exe
          57 B
           105 B
           1
          1

          DNS Request

          keyauth.win

          DNS Response

          104.26.0.5
          172.67.72.57
          104.26.1.5

        • 8.8.8.8:53
          apps.identrust.com
          dns
          64 B
           165 B
           1
          1

          DNS Request

          apps.identrust.com

          DNS Response

          2.18.190.72
          2.18.190.80

        • 8.8.8.8:53
          crl.microsoft.com
          dns
          63 B
           162 B
           1
          1

          DNS Request

          crl.microsoft.com

          DNS Response

          2.18.190.71
          2.18.190.80

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.