Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 21:31 UTC
Behavioral task
behavioral1
Sample
dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
Resource
win7-20241010-en
General
-
Target
dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
-
Size
83KB
-
MD5
9737e48642bc5ab60a65e1836271f5e0
-
SHA1
c176708c39d7f4320c35716640023cda702c9f24
-
SHA256
dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07
-
SHA512
dc12d925d918be122894d89d13ce9ae32fc5ef1fd19b2ed0f87611fa64d44e5585566fb5b6f0934242fb56ec609a2bef56d9eca8a54bd30b75dc560062904867
-
SSDEEP
1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+OK:LJ0TAz6Mte4A+aaZx8EnCGVuO
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2992-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-2-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000e00000001e580-12.dat upx behavioral2/memory/2992-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-22-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB1BB46331404BEA8F48170D8BF0F2CA Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B93867FB94844A78AB9476B174BFB4B7 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D4A61580E0AE4F528CB114EB8CF5B6B1 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwecan.hasthe.technologyIN AResponsewecan.hasthe.technologyIN A172.67.183.40wecan.hasthe.technologyIN A104.21.59.199
-
POSThttp://wecan.hasthe.technology/uploaddc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------f2b611087a518552
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:32:03 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FTKoXK4J%2BryhHb0UP6VQjZsF23lhJq%2B8YV6VnRG0pxrYokE5ynp23cvBnq24N9%2F3GAJaNTAJTSu853Tjt0%2BAQWyZVtFv%2Fzx%2BwCnnqJi9IkG8OtlRZtpyU0gZborl3GVgZeK0h3%2BMW52mw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f5ea9fd36397-LHR
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request40.183.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
POSThttp://wecan.hasthe.technology/uploaddc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------1f24b5b5fbb7e986
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:32:33 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=In8yMd4joVS6g6xnp0u4LFesy6mU97nxBHquIPlt6dcExD%2FFTUyxQH5VyNUpv1WhCPo5p1HF%2Bwog9yT03UG0IVi5QorqQzpL0P7DqWTP%2BkVPKh4pQWKWwWgzDxvjKt6GzdSnZJSW585slQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f6a71b8552d8-LHR
-
POSThttp://wecan.hasthe.technology/uploaddc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------84424ca96a8dc773
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:33:04 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4QVDcbB7F3f4KYvpfpIPOugucDEFjS4eC6NUQgdk5JLnbOqxoxDS9y%2BHBLs4TfZAkkt7vt1z6dAVwMv%2Baa7jqUdfTpmucl7YyWsZSNcEm935tNgMwNOSuLsBaIOhOn%2FnHhhCyH%2BkO%2BvELg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f763a9e84969-LHR
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=HTTP Response
204 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttpdc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe88.5kB 1.9kB 72 25
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttpdc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe88.5kB 1.9kB 71 27
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttpdc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe88.4kB 2.3kB 70 35
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53wecan.hasthe.technologydnsdc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe69 B 101 B 1 1
DNS Request
wecan.hasthe.technology
DNS Response
172.67.183.40104.21.59.199
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
40.183.67.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD53fed4d2deb188796998512a99edd779b
SHA1be7c03cae87a14a675541bc9f08647eff139dde3
SHA2568a1e66b079009785dc753382e7292802e13d14256c5d4707cb20858158986b2b
SHA512c8a8201eae51a603cc368f33bffd403ecf2073bbe7b51aec89ed329de07355730e7c45257966f059367c997c81d50995a24108ffd0bd82d25b640908dcef555e