Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 05:28 UTC

General

  • Target

    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe

  • Size

    236KB

  • MD5

    89cd8a0f54d31a51602d8622ba97b690

  • SHA1

    d313b0d6c90d594c27d64021738f582e2967c3ca

  • SHA256

    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25

  • SHA512

    13b181058a85a16133fbd8d5b60ab6371f5de6ef95f52b84504acae349f7fe3fe9095ff4a3268395cf14b2662db8eb843296141406c56a5f25de245bab267361

  • SSDEEP

    3072:jJ0Bs3o8A4M3riN6MhGkgS3PL6pb9t16n5OkhBOPC/6/FnncroP9:lwDeM7iNEkgiOb31k1ECcJ/F

Score
5/10

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    "C:\Users\Admin\AppData\Local\Temp\cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3044

Network

  • flag-us
    DNS
    68.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    104.21.59.199
    wecan.hasthe.technology
    IN A
    172.67.183.40
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    Remote address:
    104.21.59.199:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 242084
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------155b3f4b9c6aea74
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 01 Oct 2024 05:28:55 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 01 Oct 2024 06:28:55 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUFVTltN3x4VQIAIdjgVBMiqKzr%2FgGZPEoi9kbV2LMst5jwLEMYf4RGNrq3Z4JXOncJotgsHFETWRaSiRmHQcB4%2BrTho43GUjpZCp38hMgvYsrmB5U3HkEMUhIMjaBSbTewebyrljXVKzw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8cba0d4e4a1b60f0-LHR
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    199.59.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    199.59.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    Remote address:
    104.21.59.199:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 242084
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------96d16e1601f872dc
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 01 Oct 2024 05:29:25 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 01 Oct 2024 06:29:25 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7VD53RZZDWHqZtwrIA%2BA7878Cn2nK9UljC8U3f02nprCuZM0Slw5Que0ByYfpcFgeJ7w4WBmcQZQ%2BStqCIJ3rOqSg6HBg6NTVtun7wt0%2BTEoA4HyF5hCL%2F508zvcvVhlN32nLazjtGFKvg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8cba0e0c0c0879b8-LHR
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    Remote address:
    104.21.59.199:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 242084
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------ac37641b15367838
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 01 Oct 2024 05:29:55 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 01 Oct 2024 06:29:55 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKjfAqiXhyTk2qw4ilmSKhZVz0GIrWeq9MxHGRClsrJEVn%2FHg4qs8IxHMXn771nsEYus16e%2BQ0dJ3vD5yUCEy4iTKirgJo15N8SurDcKh9qaCM6Kh2Z%2BM9p4U559I5myKdUF4B03%2Bw05Aw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8cba0ec9da9306e9-LHR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 104.21.59.199:80
    http://wecan.hasthe.technology/upload
    http
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    250.1kB
    6.7kB
    195
    147

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 104.21.59.199:80
    http://wecan.hasthe.technology/upload
    http
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    250.1kB
    6.8kB
    195
    149

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 52.111.229.48:443
    322 B
    7
  • 104.21.59.199:80
    http://wecan.hasthe.technology/upload
    http
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    250.1kB
    5.9kB
    195
    127

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    68.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    68.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    104.21.59.199
    172.67.183.40

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    199.59.21.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    199.59.21.104.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-bZP6DoXJND8Wk3LZ.exe

    Filesize

    236KB

    MD5

    96c7bd1f56b6df10ef1be9b448b4a00f

    SHA1

    74d1ced93f3720bfc44293c668fdf6ee456847bc

    SHA256

    d351f3b4c77eba3cd0bbce72b1eb7ff488fc28f00304589845f187e36f78bbb7

    SHA512

    623afd6b521c199e8f3812e3b7f50f2b85bb57dd9f15a574963043104e1c1cbd80e18ea83c72880c10a90aaeed78f556d5b853cf7fc0e120284fde6d6560bf9e

  • memory/3044-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/3044-1-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.