Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

5

bb1bf62856...4N.exe

windows7-x64

5

bb1bf62856...4N.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    111s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 15:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe

  • Size

    358KB

  • MD5

    f791c331825b6bc460e2ed891aa63ce0

  • SHA1

    b9a9a4a7f049e1b24c5e8dc40bef1ab8c3ad68bc

  • SHA256

    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604

  • SHA512

    19fd0d4dcb123ababba0c3638665504d723c67865751b6b999c851f77399fe5a5282413066342464951af70c791b38d2b26321d77934191a042c0f994a97ad6f

  • SSDEEP

    6144:Tl8KWs/bWq+nR6xtEstSlckJ4OUSccLU4968TI+RjoSDx:Tl837cCHJrccvZPRjoSDx

Score
5/10
discoveryupx

Malware Config

Signatures

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1620

Network

  • flag-us
    DNS
    cdn.simtel.net
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    Remote address:
    8.8.8.8:53
    Request
    cdn.simtel.net
    IN A
    Response
    cdn.simtel.net
    IN CNAME
    wcarchive.cdrom.com.edgesuite.net
    wcarchive.cdrom.com.edgesuite.net
    IN CNAME
    a1337.d.akamai.net
    a1337.d.akamai.net
    IN A
    2.19.117.76
    a1337.d.akamai.net
    IN A
    2.19.117.104
  • flag-gb
    GET
    http://cdn.simtel.net/pub/dlm/rn_downloader_full.html
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    Remote address:
    2.19.117.76:80
    Request
    GET /pub/dlm/rn_downloader_full.html HTTP/1.1
    Accept: */*
    Accept-Language: en-US
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: cdn.simtel.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 503 Service Unavailable
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 373
    Date: Wed, 02 Oct 2024 15:33:30 GMT
    Connection: keep-alive
    Expires: Wed, 02 Oct 2024 15:33:30 GMT
  • flag-us
    DNS
    wgt.digitalriver.com
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    Remote address:
    8.8.8.8:53
    Request
    wgt.digitalriver.com
    IN A
    Response
    wgt.digitalriver.com
    IN CNAME
    nankx7k.impervadns.net
    nankx7k.impervadns.net
    IN A
    45.60.123.23
  • flag-us
    GET
    http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    Remote address:
    45.60.123.23:80
    Request
    GET /wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe HTTP/1.1
    Host: wgt.digitalriver.com
    Range: bytes=0-
    User-Agent: GetRight/6.3e
    Accept: */*
    Accept-Encoding:
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 02 Oct 2024 15:33:57 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: Apache
    Error-Message: No password_file_regnow record in the config file
    X-Server-Name: dnlweb@h010072015232.wgt-gcdnl-prd.aws-ew1-b.vdc7.drcloud.zone
    Set-Cookie: visid_incap_2490290=KR0f2jmORGKnK3nFZD9emcxn/WYAAAAAQUIPAAAAAAAh5j6ls+Hx7htoEWqywQh2; expires=Wed, 01 Oct 2025 22:25:10 GMT; HttpOnly; path=/; Domain=.digitalriver.com
    Set-Cookie: incap_ses_728_2490290=wVBrIdgRNwH/J0eUOWAaCuVn/WYAAAAAjMaFxv8IpZ7BasQkSPOFOg==; path=/; Domain=.digitalriver.com
    X-CDN: Imperva
    X-Iinfo: 16-77076565-77028432 pNNy RT(1727883212152 2) q(0 0 0 0) r(251 251) U11
  • flag-us
    GET
    http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    Remote address:
    45.60.123.23:80
    Request
    GET /wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe HTTP/1.1
    Host: wgt.digitalriver.com
    Range: bytes=0-
    User-Agent: GetRight/6.3e
    Accept: */*
    Accept-Encoding:
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 02 Oct 2024 15:34:07 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: Apache
    Error-Message: No password_file_regnow record in the config file
    X-Server-Name: dnlweb@h010072015254.wgt-gcdnl-prd.aws-ew1-b.vdc7.drcloud.zone
    Set-Cookie: visid_incap_2490290=KR0f2jmORGKnK3nFZD9emcxn/WYAAAAAQUIPAAAAAAAh5j6ls+Hx7htoEWqywQh2; expires=Wed, 01 Oct 2025 22:25:21 GMT; HttpOnly; path=/; Domain=.digitalriver.com
    Set-Cookie: incap_ses_728_2490290=klW8GirJGUT/J0eUOWAaCu5n/WYAAAAAy8P3lSQFpwcW4uKOE5FwyQ==; path=/; Domain=.digitalriver.com
    X-CDN: Imperva
    X-Iinfo: 14-52565633-52465882 pNNy RT(1727883237909 1) q(0 0 0 0) r(90 90) U11
  • 2.19.117.76:80
    http://cdn.simtel.net/pub/dlm/rn_downloader_full.html
    http
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    552 B
     768 B
     4
    4

    HTTP Request

    GET http://cdn.simtel.net/pub/dlm/rn_downloader_full.html

    HTTP Response

    503
  • 45.60.123.23:80
    http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe
    http
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    431 B
     1.1kB
     4
    3

    HTTP Request

    GET http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe

    HTTP Response

    403
  • 45.60.123.23:80
    http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe
    http
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    427 B
     1.1kB
     4
    3

    HTTP Request

    GET http://wgt.digitalriver.com/wgt/9f3a1646c2829ec59a8eb14e75c5ff39/5222d28b53e33dad682c228f0343c187/rn_v8466/At_The_Depth_-_Animated_3D_Wallpaper_Trial.exe

    HTTP Response

    403
  • 8.8.8.8:53
    cdn.simtel.net
    dns
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    60 B
     165 B
     1
    1

    DNS Request

    cdn.simtel.net

    DNS Response

    2.19.117.76
    2.19.117.104

  • 8.8.8.8:53
    wgt.digitalriver.com
    dns
    bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.exe
    66 B
     118 B
     1
    1

    DNS Request

    wgt.digitalriver.com

    DNS Response

    45.60.123.23

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\GetRightToGo\bb1bf6285619bf03ee951cf5bd311e74283861447b87d827885b7607cc9c1604N.data
    Filesize

    1KB

    MD5

    777551d8493f8d4f7a00722e7ade6b51

    SHA1

    1236cef65c540e9d8d9084b71aaedffd4266a5ba

    SHA256

    abc88438478abc8cc0ffce2a2f53b9d1f196d3e6e7ad77cf31da3557c4c071ee

    SHA512

    72c3ef72e16f6b38839f1696b885c82d643e5ae77bae6ff899d015cf4e650cfdbb269639c4a399f9bb2984a2d651fd3ea627537bbd995543895cf054fb7645f4

    Download Submit

  • memory/1620-0-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1620-18-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1620-23-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1620-24-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1620-29-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1620-30-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.