Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

2c4180a225...0N.exe

windows7-x64

6

2c4180a225...0N.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 00:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c4180a225d071508ac5656717a9cb30N.exe

  • Size

    4.1MB

  • MD5

    2c4180a225d071508ac5656717a9cb30

  • SHA1

    d194c4ccbdaee11c4bae4f23b6214a9fe0b40815

  • SHA256

    2bc671285340102bb3c1b4d1249786a651ee5ca7a13ee9f6b62daf7e7bea7f3d

  • SHA512

    cbda49d38c9daa0f0a74e7ff60cb14de346d8b428ab6ce432011f957a9c4d913c6b2610b9a7e38ac7dbfe6e098b3c760fee1cb928c9d5d68e6811c1338e0b24a

  • SSDEEP

    98304:0w2CYJJBGb5A9dGpQkiSNEVA0qss9du/akQrBB:fw0ASCcIm9du/MrB

Score
6/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c4180a225d071508ac5656717a9cb30N.exe
    "C:\Users\Admin\AppData\Local\Temp\2c4180a225d071508ac5656717a9cb30N.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2116

Network

  • flag-us
    DNS
    2398.35go.net
    2c4180a225d071508ac5656717a9cb30N.exe
    Remote address:
    8.8.8.8:53
    Request
    2398.35go.net
    IN A
    Response
    2398.35go.net
    IN CNAME
    2398.35go.net.c.cdnhwc1.com
    2398.35go.net.c.cdnhwc1.com
    IN CNAME
    hcdnd101.gslb.c.cdnhwc2.com
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    221.194.141.155
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    218.12.76.154
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    221.194.141.158
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    218.12.76.157
  • flag-us
    DNS
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    Remote address:
    8.8.8.8:53
    Request
    infoc0.duba.net
    IN A
    Response
    infoc0.duba.net
    IN CNAME
    infoc2.ksmobile.com
    infoc2.ksmobile.com
    IN A
    139.9.37.26
    infoc2.ksmobile.com
    IN A
    139.9.45.227
    infoc2.ksmobile.com
    IN A
    139.9.36.178
    infoc2.ksmobile.com
    IN A
    139.9.35.91
    infoc2.ksmobile.com
    IN A
    139.9.44.129
    infoc2.ksmobile.com
    IN A
    139.9.43.12
    infoc2.ksmobile.com
    IN A
    139.9.36.107
    infoc2.ksmobile.com
    IN A
    139.9.43.42
    infoc2.ksmobile.com
    IN A
    121.37.247.153
  • flag-us
    DNS
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    Remote address:
    8.8.8.8:53
    Request
    dubacdn.cmcmcdn.com
    IN A
    Response
    dubacdn.cmcmcdn.com
    IN CNAME
    dubacdn.cmcmcdn.com.943e270b.cdnhwchcg02.com
    dubacdn.cmcmcdn.com.943e270b.cdnhwchcg02.com
    IN CNAME
    hcdnw101.vip.cdnhwcbzj102.com
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    221.194.141.165
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    36.42.77.166
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    120.233.178.91
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    120.233.178.92
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    221.194.141.171
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    36.42.77.170
    hcdnw101.vip.cdnhwcbzj102.com
    IN A
    218.12.76.169
  • flag-us
    DNS
    config.i.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    Remote address:
    8.8.8.8:53
    Request
    config.i.duba.net
    IN A
    Response
    config.i.duba.net
    IN CNAME
    config.i.duba.net.0ba44e8c.c.cdnhwc1.com
    config.i.duba.net.0ba44e8c.c.cdnhwc1.com
    IN CNAME
    hcdnd101.gslb.c.cdnhwc2.com
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    221.194.141.158
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    221.194.141.155
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    218.12.76.154
    hcdnd101.gslb.c.cdnhwc2.com
    IN A
    218.12.76.157
  • 221.194.141.155:80
    2398.35go.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 127.0.0.1:49187
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49189
    2c4180a225d071508ac5656717a9cb30N.exe
  • 218.12.76.154:80
    2398.35go.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 221.194.141.158:80
    2398.35go.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 218.12.76.157:80
    2398.35go.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 127.0.0.1:49195
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49197
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    96 B
     2
  • 127.0.0.1:49208
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49210
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 127.0.0.1:49221
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49223
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    96 B
     2
  • 127.0.0.1:49234
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49236
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 221.194.141.165:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 127.0.0.1:49274
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49276
    2c4180a225d071508ac5656717a9cb30N.exe
  • 36.42.77.166:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 120.233.178.91:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 120.233.178.92:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 221.194.141.171:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 36.42.77.170:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 218.12.76.169:80
    dubacdn.cmcmcdn.com
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 127.0.0.1:49286
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49288
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    96 B
     2
  • 127.0.0.1:49301
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49303
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 221.194.141.158:80
    config.i.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 127.0.0.1:49315
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49318
    2c4180a225d071508ac5656717a9cb30N.exe
  • 221.194.141.155:80
    config.i.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 218.12.76.154:80
    config.i.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 218.12.76.157:80
    config.i.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 127.0.0.1:49324
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49327
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    104 B
     2
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.37.26:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    96 B
     2
  • 127.0.0.1:49338
    2c4180a225d071508ac5656717a9cb30N.exe
  • 127.0.0.1:49341
    2c4180a225d071508ac5656717a9cb30N.exe
  • 139.9.45.227:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    48 B
     1
  • 139.9.36.178:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.35.91:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.44.129:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.12:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.36.107:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 139.9.43.42:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 121.37.247.153:80
    infoc0.duba.net
    2c4180a225d071508ac5656717a9cb30N.exe
    52 B
     1
  • 8.8.8.8:53
    2398.35go.net
    dns
    2c4180a225d071508ac5656717a9cb30N.exe
    59 B
     202 B
     1
    1

    DNS Request

    2398.35go.net

    DNS Response

    221.194.141.155
    218.12.76.154
    221.194.141.158
    218.12.76.157

  • 8.8.8.8:53
    infoc0.duba.net
    dns
    2c4180a225d071508ac5656717a9cb30N.exe
    61 B
     238 B
     1
    1

    DNS Request

    infoc0.duba.net

    DNS Response

    139.9.37.26
    139.9.45.227
    139.9.36.178
    139.9.35.91
    139.9.44.129
    139.9.43.12
    139.9.36.107
    139.9.43.42
    121.37.247.153

  • 8.8.8.8:53
    dubacdn.cmcmcdn.com
    dns
    2c4180a225d071508ac5656717a9cb30N.exe
    65 B
     272 B
     1
    1

    DNS Request

    dubacdn.cmcmcdn.com

    DNS Response

    221.194.141.165
    36.42.77.166
    120.233.178.91
    120.233.178.92
    221.194.141.171
    36.42.77.170
    218.12.76.169

  • 8.8.8.8:53
    config.i.duba.net
    dns
    2c4180a225d071508ac5656717a9cb30N.exe
    63 B
     219 B
     1
    1

    DNS Request

    config.i.duba.net

    DNS Response

    221.194.141.158
    221.194.141.155
    218.12.76.154
    218.12.76.157

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-29-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.