Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 14:10 UTC

General

  • Target

    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe

  • Size

    83KB

  • MD5

    0a4addbea7f443fb075dc2554cb8d830

  • SHA1

    88cdc15ed83ba602eed3d0b6be1c73b899c6d825

  • SHA256

    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18f

  • SHA512

    7db4711e1a65586c088e8c0ae7e7b0f3d537aa073dc53f430105ae9a4001bed3b3deb4ab406f88a0699202eac1cc7ec9b8686e9f54a527651081e1d93c996e3c

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+qK:LJ0TAz6Mte4A+aaZx8EnCGVuq

Score
5/10

Malware Config

Signatures

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    "C:\Users\Admin\AppData\Local\Temp\08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4476

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------6891c85d02b82718
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 25 Sep 2024 14:11:02 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Wed, 25 Sep 2024 15:11:02 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WkOK%2BPxN9dviAF5Ze8c3I5QDNxephvGnlCLMt7ahxeuEa03IhT0lL979tAinP4fAxFVYWIqGwN%2Bg315AAv25offkgnuMbvFbRgfqBYJtKMzHledKKmGjy%2FcBjsN%2Frq1FgN%2FMNmB8xCRBcw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c8b99d47ee5b3c9-MAN
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.183.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.183.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------33f740d5e3f676c7
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 25 Sep 2024 14:11:32 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Wed, 25 Sep 2024 15:11:32 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCeTjV%2F1ro7co64NfkBpVwjLJ%2FU4XW6QfUiy%2FbhihYx%2Bu27W8ykou0tAy2PBc79kKsq10m0zs8S5hcdyn865P61fNEW7wK%2B8zxJ%2BrX9uAZh6IxLFy8oeRioXGn7EYo%2FsK7piKZLJj13pVA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c8b9aa02e937771-LHR
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------fccdbcde926478a6
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 25 Sep 2024 14:12:02 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Wed, 25 Sep 2024 15:12:02 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ln97QGlxVkDAHeZzy%2F9vesWhtC%2FMtfLfqlSgWmT0ifGUNrWIPshDOYqJd4Y6A2un0TMLwh2Ll7XBdLWBF7HwT2KUY2fk5gpe3NKMHP7ZkxmB2uNgSZJ2ro8LCv%2FqtNhG5vQJ9QWJUgIfyg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c8b9b5d8e8976ef-LHR
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    115.0kB
    3.2kB
    89
    53

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    88.5kB
    2.7kB
    71
    46

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    88.5kB
    2.5kB
    71
    40

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    08e2cdf56fd309e8d8eb8fd4f9f7ddbb831b215ee1dd2d9f7d2fe97e3ecef18fN.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    40.183.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    40.183.67.172.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-TK0QjKG9gSjuhzy2.exe

    Filesize

    83KB

    MD5

    c6efa2b3dafd969034e4618376d80690

    SHA1

    431181eb2ec606f8d12b7d080bc408b00877bbe1

    SHA256

    dfc7f74a4fec7515605ab0715918412bb2d5e8b4a5147d7a56098f042ec509c2

    SHA512

    6a9d0ed0de929bcad6922e2794c2473778fac41f504e0eaa9ea81230caf5e4dff542488b24835ff9785159e94b381f358d1b790575e528e72bd76c3f7531de79

  • memory/4476-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4476-1-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4476-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4476-15-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4476-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.