Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 10:20 UTC

General

  • Target

    78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe

  • Size

    7.6MB

  • MD5

    0be4a2592f848a5781a73ee60fa20ba6

  • SHA1

    85bf09a2f02d66e8aa03147c90f7edd404c8a6aa

  • SHA256

    78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4

  • SHA512

    84b138f38e92a6ca5614a706dc8788ba218d7f4e0dde691dab18f1b9256def36475181f456435499a183336f5a385641d7d0b7401c22d42fe6ee5116796f0530

  • SSDEEP

    98304:K0XCXkHTfN9Z+1jjw+giUMZCq6bFREzaOHSWLu4F:K0XCXkHTfN9QgirZC5YS

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe
    "C:\Users\Admin\AppData\Local\Temp\78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1856

Network

  • flag-de
    GET
    http://89.169.53.206/api/crazyfish.php
    RegAsm.exe
    Remote address:
    89.169.53.206:80
    Request
    GET /api/crazyfish.php HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
    Host: 89.169.53.206
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Sep 2024 10:20:27 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    X-Powered-By: PHP/8.2.12
    Content-Length: 6
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    api64.ipify.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    api64.ipify.org
    IN A
    Response
    api64.ipify.org
    IN A
    173.231.16.77
    api64.ipify.org
    IN A
    104.237.62.213
  • flag-us
    GET
    https://api64.ipify.org/?format=json
    RegAsm.exe
    Remote address:
    173.231.16.77:443
    Request
    GET /?format=json HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
    Host: api64.ipify.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 14 Sep 2024 10:20:28 GMT
    Content-Type: application/json
    Content-Length: 22
    Connection: keep-alive
    Vary: Origin
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.53.169.89.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.53.169.89.in-addr.arpa
    IN PTR
    Response
    206.53.169.89.in-addr.arpa
    IN PTR
    spotted-basinaezanetwork
  • flag-us
    DNS
    ipinfo.io
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    ipinfo.io
    IN A
    Response
    ipinfo.io
    IN A
    34.117.59.81
  • flag-us
    GET
    https://ipinfo.io/widget/demo/194.110.13.70
    RegAsm.exe
    Remote address:
    34.117.59.81:443
    Request
    GET /widget/demo/194.110.13.70 HTTP/1.1
    Connection: Keep-Alive
    Referer: https://ipinfo.io/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
    Host: ipinfo.io
    Response
    HTTP/1.1 200 OK
    access-control-allow-origin: *
    Content-Length: 1004
    content-type: application/json; charset=utf-8
    date: Sat, 14 Sep 2024 10:20:28 GMT
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    via: 1.1 google
    strict-transport-security: max-age=2592000; includeSubDomains
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    77.16.231.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.16.231.173.in-addr.arpa
    IN PTR
    Response
    77.16.231.173.in-addr.arpa
    IN PTR
    apiipifyorg
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.59.117.34.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.59.117.34.in-addr.arpa
    IN PTR
    Response
    81.59.117.34.in-addr.arpa
    IN PTR
    815911734bcgoogleusercontentcom
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 89.169.53.206:80
    http://89.169.53.206/api/crazyfish.php
    http
    RegAsm.exe
    481 B
    431 B
    6
    4

    HTTP Request

    GET http://89.169.53.206/api/crazyfish.php

    HTTP Response

    200
  • 173.231.16.77:443
    https://api64.ipify.org/?format=json
    tls, http
    RegAsm.exe
    954 B
    5.0kB
    10
    10

    HTTP Request

    GET https://api64.ipify.org/?format=json

    HTTP Response

    200
  • 34.117.59.81:443
    https://ipinfo.io/widget/demo/194.110.13.70
    tls, http
    RegAsm.exe
    938 B
    5.3kB
    9
    10

    HTTP Request

    GET https://ipinfo.io/widget/demo/194.110.13.70

    HTTP Response

    200
  • 8.8.8.8:53
    api64.ipify.org
    dns
    RegAsm.exe
    61 B
    93 B
    1
    1

    DNS Request

    api64.ipify.org

    DNS Response

    173.231.16.77
    104.237.62.213

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    206.53.169.89.in-addr.arpa
    dns
    72 B
    112 B
    1
    1

    DNS Request

    206.53.169.89.in-addr.arpa

  • 8.8.8.8:53
    ipinfo.io
    dns
    RegAsm.exe
    55 B
    71 B
    1
    1

    DNS Request

    ipinfo.io

    DNS Response

    34.117.59.81

  • 8.8.8.8:53
    77.16.231.173.in-addr.arpa
    dns
    72 B
    99 B
    1
    1

    DNS Request

    77.16.231.173.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    81.59.117.34.in-addr.arpa
    dns
    71 B
    122 B
    1
    1

    DNS Request

    81.59.117.34.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1364-0-0x000000007442E000-0x000000007442F000-memory.dmp

    Filesize

    4KB

  • memory/1364-1-0x0000000000950000-0x00000000010F0000-memory.dmp

    Filesize

    7.6MB

  • memory/1364-2-0x0000000005DF0000-0x000000000609C000-memory.dmp

    Filesize

    2.7MB

  • memory/1364-4-0x0000000005D00000-0x0000000005D9C000-memory.dmp

    Filesize

    624KB

  • memory/1364-3-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

  • memory/1364-5-0x0000000003730000-0x0000000003752000-memory.dmp

    Filesize

    136KB

  • memory/1364-8-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

  • memory/1856-6-0x0000000000400000-0x00000000005E1000-memory.dmp

    Filesize

    1.9MB

  • memory/1856-10-0x0000000000400000-0x00000000005E1000-memory.dmp

    Filesize

    1.9MB

  • memory/1856-12-0x0000000000400000-0x00000000005E1000-memory.dmp

    Filesize

    1.9MB

  • memory/1856-9-0x0000000000400000-0x00000000005E1000-memory.dmp

    Filesize

    1.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.