Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 02:05 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
Resource
win10v2004-20241007-en
General
-
Target
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
-
Size
1.2MB
-
MD5
2b2832a4e1bf4e26e59980f4162334e2
-
SHA1
a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
-
SHA256
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
-
SHA512
26fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCznZeX4CCmLFtyfHIHjw3Oz/ijaX:7JZoQrbTFZY1iaCznMCiFtygHcOTN
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs incalculability.exe -
Executes dropped EXE 1 IoCs
pid Process 3724 incalculability.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000b000000023bc8-5.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1352 3724 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incalculability.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3724 incalculability.exe 3724 incalculability.exe 3724 incalculability.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3724 incalculability.exe 3724 incalculability.exe 3724 incalculability.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\inhumate\incalculability.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"3⤵PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 7283⤵
- Program crash
PID:1352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3724 -ip 37241⤵PID:736
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=370707A86CEB6C36286C12BB6DED6D96; domain=.bing.com; expires=Mon, 03-Nov-2025 02:05:39 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 37FCB95207AA45828EE0385C62690256 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
date: Wed, 09 Oct 2024 02:05:38 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=370707A86CEB6C36286C12BB6DED6D96
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=xSuqhQX9f_yfyND4IdMusp95SWlfohZ9yquvxiRLfBw; domain=.bing.com; expires=Mon, 03-Nov-2025 02:05:39 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2A7CE95CDB554E7786491379B05ED1C7 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
date: Wed, 09 Oct 2024 02:05:38 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=370707A86CEB6C36286C12BB6DED6D96; MSPTC=xSuqhQX9f_yfyND4IdMusp95SWlfohZ9yquvxiRLfBw
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B0319C04CC6C437D822C90870094C839 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
date: Wed, 09 Oct 2024 02:05:38 GMT
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.209.201.84.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
101.209.201.84.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52b2832a4e1bf4e26e59980f4162334e2
SHA1a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
SHA256a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
SHA51226fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01