Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

5

aa4a45d592...67.exe

windows7-x64

5

aa4a45d592...67.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 10:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe

  • Size

    914KB

  • MD5

    d314447bfe78be921cb5db03d138d5d2

  • SHA1

    87ef7e53ba2b644a8638c9efd16ecaf445d393cc

  • SHA256

    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267

  • SHA512

    7207fc3560a459f6678e60af78de888fad5ae1dda7ebe37ffb1e4f3a921760ae67fe2a33279f5451820af6d51ba4c975d385abdbc879fbae833128a24b5ef151

  • SSDEEP

    24576:wc5ndIGN7QDVHriGNdKY9AO+sCaqht2keZ1yugLYlr:t5nnQDVOTeAJr2keZsrYR

Score
5/10
discoveryupx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe
    "C:\Users\Admin\AppData\Local\Temp\aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3196

Network

  • flag-us
    DNS
    www.1064588.com
    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe
    Remote address:
    8.8.8.8:53
    Request
    www.1064588.com
    IN A
    Response
    www.1064588.com
    IN A
    43.155.184.86
  • flag-kr
    GET
    http://www.1064588.com/aapi/T.txt
    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe
    Remote address:
    43.155.184.86:80
    Request
    GET /aapi/T.txt HTTP/1.1
    Accept: */*
    Referer: http://www.1064588.com/aapi/T.txt
    Accept-Language: zh-cn
    User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
    Host: www.1064588.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 09 Oct 2024 10:50:10 GMT
    Content-Type: text/plain
    Content-Length: 36
    Last-Modified: Sat, 05 Oct 2024 16:45:49 GMT
    Connection: keep-alive
    ETag: "67016d3d-24"
    Accept-Ranges: bytes
  • flag-us
    DNS
    86.184.155.43.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.184.155.43.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.184.155.43.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.184.155.43.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    138.201.86.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.201.86.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.201.86.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.201.86.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    138.201.86.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.201.86.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.73.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.73.50.20.in-addr.arpa
    IN PTR
    Response
  • 43.155.184.86:80
    http://www.1064588.com/aapi/T.txt
    http
    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe
    503 B
     704 B
     6
    4

    HTTP Request

    GET http://www.1064588.com/aapi/T.txt

    HTTP Response

    200
  • 8.8.8.8:53
    www.1064588.com
    dns
    aa4a45d59215d88f5bbb79f4020cbb24cb9809b8d0c651eed9c4c9a44fe15267.exe
    61 B
     77 B
     1
    1

    DNS Request

    www.1064588.com

    DNS Response

    43.155.184.86

  • 8.8.8.8:53
    86.184.155.43.in-addr.arpa
    dns
    144 B
     129 B
     2
    1

    DNS Request

    86.184.155.43.in-addr.arpa

    DNS Request

    86.184.155.43.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    138.201.86.20.in-addr.arpa
    dns
    216 B
     158 B
     3
    1

    DNS Request

    138.201.86.20.in-addr.arpa

    DNS Request

    138.201.86.20.in-addr.arpa

    DNS Request

    138.201.86.20.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    10.73.50.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    10.73.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3196-0-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3196-1-0x0000000000C70000-0x0000000000C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3196-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.