Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

38013984ec...bc.exe

windows7-x64

7

38013984ec...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 14:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe

  • Size

    330KB

  • MD5

    ee1b0e6423386f2c53869725a16c24ae

  • SHA1

    c3a06587bb81b375b1f1b606e279afb41150a26d

  • SHA256

    38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc

  • SHA512

    61bf4006cca47161050b335b42db5e0943b892848920a24e4c3334f76d93ad18951647f1d92c942c7c64b170027da5775b7ea3e2cdb04412a31a02f1fcc9136d

  • SSDEEP

    6144:fxYrRwGrWwNDCBC2iDFOIh10+7vdX6Ba/AOIPb+PqR/J7y12:fxWrNtDFf1BrRHhiR/J7B

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe
    "C:\Users\Admin\AppData\Local\Temp\38013984ecec19ab2889f68c3404c10c434b44ad68d9e3978cb853c18742dabc.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE" -hwnd 196988 -uninstall
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "Get-WinUserLanguageList | ConvertTo-Json -Compress"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\English.lang
    Filesize

    5KB

    MD5

    c5e027ed9553b7c0e197da9b232213de

    SHA1

    06f84573662df0cd76ce1c1ee3c5f8a54a56f3e3

    SHA256

    b20b85422d00b6cc739c1109587cd31042e2711a5b8147e2b1b2a42db47f82b7

    SHA512

    abf28d69722cc699e46d80997e46ff10fce771305de0108d9c7ba454f3ae736f557c451edcd1380b8ae6fe4e122929b4d106d376e04d55548092eea8bf03e25f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SIAMIT~1.EXE
    Filesize

    117KB

    MD5

    5d77bda9abaf2d713df2fb3b7db4860f

    SHA1

    64a3f12df35235d18d4af16f709bf2c03cb88032

    SHA256

    865e73bc9f80c58fd2795709b549dc8fe8e09f86af6fc11a039cb134d4657419

    SHA512

    0930ccf6ff6fa3cf0ebae60e69e226270f2ada40df5a8b42f5ad797d79a23618e6d632ca90ded9eacfc3905f6bee2d6db42f20b04017cfbe674fa112e49bd8b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.job
    Filesize

    14KB

    MD5

    8b6e9fdeba7279871f71526306ed22dd

    SHA1

    1098341a3fab76fc52d15fcd2b39d321be7a0655

    SHA256

    35a39de3c9ccc0cd567a895ce9c503150f3e994bc5c9f552e7d1e69ee0081706

    SHA512

    d377b2ed79e28299ff9cb50d818e987b7d6ea4f9f60ad313cf2b129d2f56414982229a846a504a71160e82c205f532df5f9fd7b2019eb8f7f20b2aa3312cf54f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32hj20hn.mjf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\img881C.tmp
    Filesize

    26KB

    MD5

    0ee5c85d988e567c0fb740eb231e5e81

    SHA1

    713547ca83b1c416603b8cc4786290af9e983712

    SHA256

    e5ed3d2e0ba8e5e0a17b8e8e45b42e1a5d293e977c79c1856a6314bddcfc4389

    SHA512

    8cdef4628ef05803eb38ce30546ee0099611f7fa1458148924cccd7e024a1c6fd8930909b42f8fa500b4dc3d2b3a8b7ad60a51ab72b6a439c1e080ae9864e9ca

    Download Submit

  • memory/2664-84-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2664-32-0x0000000005980000-0x0000000005A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2664-83-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-31-0x0000000005E30000-0x00000000063D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2664-80-0x0000000006620000-0x000000000662A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2664-30-0x0000000000F10000-0x0000000000F30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2664-78-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2664-29-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-53-0x00000000071D0000-0x0000000007202000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2704-68-0x00000000075F0000-0x00000000075FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2704-50-0x0000000005DD0000-0x0000000006124000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2704-51-0x0000000006270000-0x000000000628E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2704-52-0x0000000006380000-0x00000000063CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2704-39-0x0000000005B80000-0x0000000005BE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2704-54-0x000000006F300000-0x000000006F34C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2704-64-0x0000000007210000-0x000000000722E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2704-65-0x0000000007240000-0x00000000072E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2704-66-0x0000000007BC0000-0x000000000823A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2704-67-0x0000000007580000-0x000000000759A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2704-40-0x0000000005C60000-0x0000000005CC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2704-69-0x0000000007800000-0x0000000007896000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2704-70-0x0000000007790000-0x000000000779C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2704-71-0x0000000008240000-0x0000000008402000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2704-72-0x0000000008940000-0x0000000008E6C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2704-75-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2704-38-0x0000000005290000-0x00000000052B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2704-37-0x00000000053A0000-0x00000000059C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2704-36-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2704-35-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2704-34-0x0000000002CD0000-0x0000000002D06000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2704-33-0x0000000072A90000-0x0000000073240000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.