Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

a0ce83972e...57.exe

windows7-x64

10

a0ce83972e...57.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 02:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe

  • Size

    1.2MB

  • MD5

    2b2832a4e1bf4e26e59980f4162334e2

  • SHA1

    a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336

  • SHA256

    a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257

  • SHA512

    26fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaCznZeX4CCmLFtyfHIHjw3Oz/ijaX:7JZoQrbTFZY1iaCznMCiFtygHcOTN

Score
7/10
discovery

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
    "C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\inhumate\incalculability.exe
      "C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"
        3⤵
          PID:3120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 728
          3⤵
          • Program crash
          PID:1352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3724 -ip 3724
      1⤵
        PID:736

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.ax-0001.ax-msedge.net
        g-bing-com.ax-0001.ax-msedge.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=370707A86CEB6C36286C12BB6DED6D96; domain=.bing.com; expires=Mon, 03-Nov-2025 02:05:39 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 37FCB95207AA45828EE0385C62690256 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
        date: Wed, 09 Oct 2024 02:05:38 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=370707A86CEB6C36286C12BB6DED6D96
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=xSuqhQX9f_yfyND4IdMusp95SWlfohZ9yquvxiRLfBw; domain=.bing.com; expires=Mon, 03-Nov-2025 02:05:39 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 2A7CE95CDB554E7786491379B05ED1C7 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
        date: Wed, 09 Oct 2024 02:05:38 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
        Remote address:
        150.171.27.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=370707A86CEB6C36286C12BB6DED6D96; MSPTC=xSuqhQX9f_yfyND4IdMusp95SWlfohZ9yquvxiRLfBw
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: B0319C04CC6C437D822C90870094C839 Ref B: LON601060107031 Ref C: 2024-10-09T02:05:39Z
        date: Wed, 09 Oct 2024 02:05:38 GMT
      • flag-us
        DNS
        88.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.210.23.2.in-addr.arpa
        IN PTR
        Response
        88.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-88deploystaticakamaitechnologiescom
      • flag-us
        DNS
        10.27.171.150.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        10.27.171.150.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        88.156.103.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.156.103.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        101.209.201.84.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        101.209.201.84.in-addr.arpa
        IN PTR
        Response
      • 150.171.27.10:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
        tls, http2
        2.0kB
         9.4kB
         22
        19

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

        HTTP Response

        204
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         148 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        150.171.27.10
        150.171.28.10

      • 8.8.8.8:53
        88.210.23.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        88.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        10.27.171.150.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        10.27.171.150.in-addr.arpa

      • 8.8.8.8:53
        88.156.103.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        88.156.103.20.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        101.209.201.84.in-addr.arpa
        dns
        73 B
         133 B
         1
        1

        DNS Request

        101.209.201.84.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\inhumate\incalculability.exe
        Filesize

        1.2MB

        MD5

        2b2832a4e1bf4e26e59980f4162334e2

        SHA1

        a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336

        SHA256

        a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257

        SHA512

        26fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01

        Download Submit

      • memory/3464-2-0x00000000043D0000-0x00000000047D0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3724-10-0x0000000003D50000-0x0000000003F50000-memory.dmp

        Filesize

        2.0MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.