Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 05:28 UTC
Behavioral task
behavioral1
Sample
cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
Resource
win7-20240903-en
General
-
Target
cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
-
Size
236KB
-
MD5
89cd8a0f54d31a51602d8622ba97b690
-
SHA1
d313b0d6c90d594c27d64021738f582e2967c3ca
-
SHA256
cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25
-
SHA512
13b181058a85a16133fbd8d5b60ab6371f5de6ef95f52b84504acae349f7fe3fe9095ff4a3268395cf14b2662db8eb843296141406c56a5f25de245bab267361
-
SSDEEP
3072:jJ0Bs3o8A4M3riN6MhGkgS3PL6pb9t16n5OkhBOPC/6/FnncroP9:lwDeM7iNEkgiOb31k1ECcJ/F
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3044-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3044-1-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x000800000002349d-7.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe
Processes
Network
-
Remote address:8.8.8.8:53Request68.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwecan.hasthe.technologyIN AResponsewecan.hasthe.technologyIN A104.21.59.199wecan.hasthe.technologyIN A172.67.183.40
-
POSThttp://wecan.hasthe.technology/uploadcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exeRemote address:104.21.59.199:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 242084
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------155b3f4b9c6aea74
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 01 Oct 2024 06:28:55 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUFVTltN3x4VQIAIdjgVBMiqKzr%2FgGZPEoi9kbV2LMst5jwLEMYf4RGNrq3Z4JXOncJotgsHFETWRaSiRmHQcB4%2BrTho43GUjpZCp38hMgvYsrmB5U3HkEMUhIMjaBSbTewebyrljXVKzw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cba0d4e4a1b60f0-LHR
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request199.59.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
POSThttp://wecan.hasthe.technology/uploadcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exeRemote address:104.21.59.199:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 242084
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------96d16e1601f872dc
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 01 Oct 2024 06:29:25 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7VD53RZZDWHqZtwrIA%2BA7878Cn2nK9UljC8U3f02nprCuZM0Slw5Que0ByYfpcFgeJ7w4WBmcQZQ%2BStqCIJ3rOqSg6HBg6NTVtun7wt0%2BTEoA4HyF5hCL%2F508zvcvVhlN32nLazjtGFKvg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cba0e0c0c0879b8-LHR
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
POSThttp://wecan.hasthe.technology/uploadcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exeRemote address:104.21.59.199:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 242084
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------ac37641b15367838
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 01 Oct 2024 06:29:55 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKjfAqiXhyTk2qw4ilmSKhZVz0GIrWeq9MxHGRClsrJEVn%2FHg4qs8IxHMXn771nsEYus16e%2BQ0dJ3vD5yUCEy4iTKirgJo15N8SurDcKh9qaCM6Kh2Z%2BM9p4U559I5myKdUF4B03%2Bw05Aw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cba0ec9da9306e9-LHR
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
104.21.59.199:80http://wecan.hasthe.technology/uploadhttpcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe250.1kB 6.7kB 195 147
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
104.21.59.199:80http://wecan.hasthe.technology/uploadhttpcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe250.1kB 6.8kB 195 149
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
322 B 7
-
104.21.59.199:80http://wecan.hasthe.technology/uploadhttpcc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe250.1kB 5.9kB 195 127
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301
-
72 B 132 B 1 1
DNS Request
68.209.201.84.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
8.8.8.8:53wecan.hasthe.technologydnscc443b97230266d18231c4144cc418b041d17ff57c74e855ddb13d4c4a1ddd25N.exe69 B 101 B 1 1
DNS Request
wecan.hasthe.technology
DNS Response
104.21.59.199172.67.183.40
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
199.59.21.104.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.117.19.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD596c7bd1f56b6df10ef1be9b448b4a00f
SHA174d1ced93f3720bfc44293c668fdf6ee456847bc
SHA256d351f3b4c77eba3cd0bbce72b1eb7ff488fc28f00304589845f187e36f78bbb7
SHA512623afd6b521c199e8f3812e3b7f50f2b85bb57dd9f15a574963043104e1c1cbd80e18ea83c72880c10a90aaeed78f556d5b853cf7fc0e120284fde6d6560bf9e