Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 14:10 UTC
Behavioral task
behavioral1
Sample
08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
Resource
win7-20240903-en
General
-
Target
08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
-
Size
83KB
-
MD5
0a4addbea7f443fb075dc2554cb8d830
-
SHA1
88cdc15ed83ba602eed3d0b6be1c73b899c6d825
-
SHA256
08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18f
-
SHA512
7db4711e1a65586c088e8c0ae7e7b0f3d537aa073dc53f430105ae9a4001bed3b3deb4ab406f88a0699202eac1cc7ec9b8686e9f54a527651081e1d93c996e3c
-
SSDEEP
1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+qK:LJ0TAz6Mte4A+aaZx8EnCGVuq
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4476-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000800000001db58-12.dat upx behavioral2/memory/4476-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-22-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
Processes
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwecan.hasthe.technologyIN AResponsewecan.hasthe.technologyIN A172.67.183.40wecan.hasthe.technologyIN A104.21.59.199
-
POSThttp://wecan.hasthe.technology/upload08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------6891c85d02b82718
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 25 Sep 2024 15:11:02 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WkOK%2BPxN9dviAF5Ze8c3I5QDNxephvGnlCLMt7ahxeuEa03IhT0lL979tAinP4fAxFVYWIqGwN%2Bg315AAv25offkgnuMbvFbRgfqBYJtKMzHledKKmGjy%2FcBjsN%2Frq1FgN%2FMNmB8xCRBcw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8b99d47ee5b3c9-MAN
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request40.183.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
POSThttp://wecan.hasthe.technology/upload08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------33f740d5e3f676c7
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 25 Sep 2024 15:11:32 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCeTjV%2F1ro7co64NfkBpVwjLJ%2FU4XW6QfUiy%2FbhihYx%2Bu27W8ykou0tAy2PBc79kKsq10m0zs8S5hcdyn865P61fNEW7wK%2B8zxJ%2BrX9uAZh6IxLFy8oeRioXGn7EYo%2FsK7piKZLJj13pVA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8b9aa02e937771-LHR
-
POSThttp://wecan.hasthe.technology/upload08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------fccdbcde926478a6
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 25 Sep 2024 15:12:02 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ln97QGlxVkDAHeZzy%2F9vesWhtC%2FMtfLfqlSgWmT0ifGUNrWIPshDOYqJd4Y6A2un0TMLwh2Ll7XBdLWBF7HwT2KUY2fk5gpe3NKMHP7ZkxmB2uNgSZJ2ro8LCv%2FqtNhG5vQJ9QWJUgIfyg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c8b9b5d8e8976ef-LHR
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe115.0kB 3.2kB 89 53
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe88.5kB 2.7kB 71 46
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe88.5kB 2.5kB 71 40
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
8.8.8.8:53wecan.hasthe.technologydns08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe69 B 101 B 1 1
DNS Request
wecan.hasthe.technology
DNS Response
172.67.183.40104.21.59.199
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
40.183.67.172.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5c6efa2b3dafd969034e4618376d80690
SHA1431181eb2ec606f8d12b7d080bc408b00877bbe1
SHA256dfc7f74a4fec7515605ab0715918412bb2d5e8b4a5147d7a56098f042ec509c2
SHA5126a9d0ed0de929bcad6922e2794c2473778fac41f504e0eaa9ea81230caf5e4dff542488b24835ff9785159e94b381f358d1b790575e528e72bd76c3f7531de79