Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

d62dda6f7c...eN.exe

windows7-x64

3

d62dda6f7c...eN.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    116s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 10:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe

  • Size

    1.1MB

  • MD5

    fdbaef78bebf2082aa4918d06a3bab10

  • SHA1

    0796969001f4ade47d2786046ee2401a582e3797

  • SHA256

    d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346de

  • SHA512

    f59228479befa8b23771ab9fb522a5e2d3ba0a5f9ee4c1621a9d5720a5ab41b1c4b88db47093646cbf572e214e8e742bd1bf2997259ff9ae32024747d11be743

  • SSDEEP

    24576:JQ1OIyYqCfVk4Ym/jTnGDcZELIveNNvVohH2LUpDW9Tgn:JQ1Q6y4YmrVeNWrDW9En

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1092
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            "C:\Users\Admin\AppData\Local\Temp\d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious behavior: RenamesItself
            • Suspicious use of WriteProcessMemory
            PID:2132
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:2572

          Network

          • flag-us
            DNS
            hi.baidu.com
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            Remote address:
            8.8.8.8:53
            Request
            hi.baidu.com
            IN A
            Response
            hi.baidu.com
            IN CNAME
            im.n.shifen.com
            im.n.shifen.com
            IN CNAME
            in.m.wshifen.com
            in.m.wshifen.com
            IN A
            104.193.88.126
            in.m.wshifen.com
            IN A
            104.193.88.125
          • flag-us
            GET
            http://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            Remote address:
            104.193.88.126:80
            Request
            GET /aegifjftrggluze/item/be185dc989cae4f4984aa0df HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
            Host: hi.baidu.com
            Cache-Control: no-cache
            Response
            HTTP/1.1 302 Found
            Content-Length: 49
            Content-Type: text/html; charset=utf-8
            Date: Thu, 10 Oct 2024 10:20:24 GMT
            Location: https://infoflow.baidu.com
          • flag-us
            DNS
            infoflow.baidu.com
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            Remote address:
            8.8.8.8:53
            Request
            infoflow.baidu.com
            IN A
            Response
            infoflow.baidu.com
            IN CNAME
            im.n.shifen.com
            im.n.shifen.com
            IN CNAME
            in.m.wshifen.com
            in.m.wshifen.com
            IN A
            104.193.88.126
            in.m.wshifen.com
            IN A
            104.193.88.125
          • flag-us
            GET
            https://infoflow.baidu.com/
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            Remote address:
            104.193.88.126:443
            Request
            GET / HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
            Host: infoflow.baidu.com
            Cache-Control: no-cache
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Accept-Ranges: bytes
            Connection: keep-alive
            Content-Length: 4546
            Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample' blob: baidu: *.infoflow.baidu.com *.im.baidu.com zhiqiu.baidu.com passport.baidu.com passport.bdimg.com cdnjs.cloudflare.com uuap.baidu.com uuap.baidu-int.com *.weiyun.baidu.com wappass.baidu.com hi-static.bj.bcebos.com ops-wps.cdn.bcebos.com wps-office-static.cdn.bcebos.com code.bdstatic.com knowledge-infoflow.cdn.bcebos.com knowledge-infoflow.bj.bcebos.com workflow.cdn.bcebos.com hi-static.cdn.bcebos.com ufosdk.baidu.com office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com uflow.baidu-int.com uflow-gray.baidu-int.com jsdk.baidu.com libs.baidu.com fe.bdimg.com hmcdn.baidu.com hm.baidu.com himonitor.baidu.com cdn.bootcss.com:* qapm.baidu.com *.qatest.baidu.com *.cdn.bcebos.com *.bcebos.com; object-src 'self'; frame-src 'self' baidu: *.infoflow.baidu.com *.im.baidu.com *.neisou.baidu-int.com passport.baidu.com uuap.baidu.com uuap.baidu-int.com hmcdn.baidu.com hm.baidu.com office-service.baidu.com office-service-gray.baidu.com office-gray.weiyun.baidu.com http://office-service-gray.baidu.com https://office-service-gray.baidu.com http://office-gray.weiyun.baidu.com https://office-gray.weiyun.baidu.com ufosdk.baidu.com http://office-online.baidu.com https://office-online.baidu.com office-online-gray.baidu.com hidoc-office-online-gray.weiyun.baidu.com learn.baidu.com wvjbscheme: webviewprogressproxy: data:; report-uri https://log.im.baidu.com/gc/csp-report https://report-uri.baidu.com/report?app=hi
            Content-Type: text/html; charset=utf-8
            Date: Thu, 10 Oct 2024 10:20:26 GMT
            Env: online
            Etag: "661924a9-11c2"
            Last-Modified: Fri, 12 Apr 2024 12:10:17 GMT
            Server: openresty
            Vary: Accept-Encoding
            X-Envoy-Upstream-Service-Time: 1
            X-Logid: 499526619534187520
            X-Xss-Protection: 1;mode=block
          • flag-us
            DNS
            crl.microsoft.com
            Remote address:
            8.8.8.8:53
            Request
            crl.microsoft.com
            IN A
            Response
            crl.microsoft.com
            IN CNAME
            crl.www.ms.akadns.net
            crl.www.ms.akadns.net
            IN CNAME
            a1363.dscg.akamai.net
            a1363.dscg.akamai.net
            IN A
            2.19.117.18
            a1363.dscg.akamai.net
            IN A
            2.19.117.22
          • flag-gb
            GET
            http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
            Remote address:
            2.19.117.18:80
            Request
            GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
            User-Agent: Microsoft-CryptoAPI/6.1
            Host: crl.microsoft.com
            Response
            HTTP/1.1 200 OK
            Content-Length: 1036
            Content-Type: application/octet-stream
            Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
            Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
            ETag: 0x8DCDDD1E3AF2C76
            Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
            x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
            x-ms-version: 2009-09-19
            x-ms-lease-status: unlocked
            x-ms-blob-type: BlockBlob
            Date: Thu, 10 Oct 2024 10:20:57 GMT
            Connection: keep-alive
          • 104.193.88.126:80
            http://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
            http
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            687 B
             550 B
             9
            8

            HTTP Request

            GET http://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df

            HTTP Response

            302
          • 104.193.88.126:443
            https://infoflow.baidu.com/
            tls, http
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            1.4kB
             13.0kB
             17
            22

            HTTP Request

            GET https://infoflow.baidu.com/

            HTTP Response

            200
          • 2.19.117.18:80
            http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
            http
            399 B
             1.7kB
             4
            4

            HTTP Request

            GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

            HTTP Response

            200
          • 8.8.8.8:53
            hi.baidu.com
            dns
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            58 B
             143 B
             1
            1

            DNS Request

            hi.baidu.com

            DNS Response

            104.193.88.126
            104.193.88.125

          • 8.8.8.8:53
            infoflow.baidu.com
            dns
            d62dda6f7c67df34a12d2a79b4b6768246abeaada5b8f5f5bb32be7b438346deN.exe
            64 B
             149 B
             1
            1

            DNS Request

            infoflow.baidu.com

            DNS Response

            104.193.88.126
            104.193.88.125

          • 8.8.8.8:53
            crl.microsoft.com
            dns
            63 B
             162 B
             1
            1

            DNS Request

            crl.microsoft.com

            DNS Response

            2.19.117.18
            2.19.117.22

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1196-31-0x00000000040F0000-0x00000000040F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1196-40-0x00000000040F0000-0x00000000040F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-0-0x0000000000400000-0x0000000000561000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2132-4-0x0000000000401000-0x0000000000402000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2132-3-0x0000000000230000-0x0000000000232000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2132-5-0x0000000000240000-0x0000000000242000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2132-7-0x0000000000400000-0x0000000000561000-memory.dmp

            Filesize

            1.4MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.