Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

550cf20697...0N.exe

windows7-x64

7

550cf20697...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 12:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    550cf206978c8dc1e12b4d2a17b61530N.exe

  • Size

    395KB

  • MD5

    550cf206978c8dc1e12b4d2a17b61530

  • SHA1

    2f25b8ab56a244cc81731f9fd078103841492bc7

  • SHA256

    61d9c0dc0a13aced9c78151daee797a05d5c6a88fa4a285bf0d6d8c11e602d2f

  • SHA512

    8a9d8322264acf983b1af8450b928e1136d4b37d24dc79d721c0249c31dd178985f89f7ef931de5cdd9233998ca2aee90ff800fb36ec383a8f71a5d66ec3f1d4

  • SSDEEP

    6144:4jlYKRF/LReWAsUyEIsYUEH7Ei+1g7eXHIuis9nXLzydK0S0Yqzrx:4jauDReWyg+1G+AslXLzLg

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\550cf206978c8dc1e12b4d2a17b61530N.exe
    "C:\Users\Admin\AppData\Local\Temp\550cf206978c8dc1e12b4d2a17b61530N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\ProgramData\vnqdtl.exe
      "C:\ProgramData\vnqdtl.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3712

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings .exe
    Filesize

    395KB

    MD5

    6b40b95ac1e1af39d2c588ef082cdaf0

    SHA1

    0f68b562ed4774081f1685f12225157db07b044c

    SHA256

    ff769321320ba51cd14a2c3c8f3ea9da46b6e32f5ab33aaaab3c30bc3d42ce19

    SHA512

    a718be120b948e6fa4df717311650ae4378c43935da8d4251d845ee6cce2cfd781a83a5de1a8e36dd356e80e1efb2c7b28c10b35632430c0a8b9dc43c0a98ac5

    Download Submit

  • C:\ProgramData\Saaaalamm\Mira.h
    Filesize

    136KB

    MD5

    cb4c442a26bb46671c638c794bf535af

    SHA1

    8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

    SHA256

    f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

    SHA512

    074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

    Download Submit

  • C:\ProgramData\vnqdtl.exe
    Filesize

    258KB

    MD5

    ce29858367204be08c220b00aeab5fa2

    SHA1

    2fb8de7e3060c497ccabb8823a18663c5367732b

    SHA256

    5fd08e00abec439859a04a0c93f4354e28fd06b152a86e14711b3715eed0bb08

    SHA512

    1aa11e997179b0e624383290ecc558177714bb5caf41db4c363138df72f591ccbfed71cf69690da3ea6be2c200d88ff53e44b945fdf5e52bb0cf5aa6e1b9d8f4

    Download Submit

  • memory/800-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/800-1-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/800-9-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3712-130-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.