Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2024, 21:31 UTC

General

  • Target

    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

  • Size

    83KB

  • MD5

    9737e48642bc5ab60a65e1836271f5e0

  • SHA1

    c176708c39d7f4320c35716640023cda702c9f24

  • SHA256

    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07

  • SHA512

    dc12d925d918be122894d89d13ce9ae32fc5ef1fd19b2ed0f87611fa64d44e5585566fb5b6f0934242fb56ec609a2bef56d9eca8a54bd30b75dc560062904867

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+OK:LJ0TAz6Mte4A+aaZx8EnCGVuO

Score
5/10

Malware Config

Signatures

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2992

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AB1BB46331404BEA8F48170D8BF0F2CA Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
    date: Fri, 11 Oct 2024 21:31:33 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B93867FB94844A78AB9476B174BFB4B7 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
    date: Fri, 11 Oct 2024 21:31:33 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D4A61580E0AE4F528CB114EB8CF5B6B1 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
    date: Fri, 11 Oct 2024 21:31:33 GMT
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------f2b611087a518552
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 11 Oct 2024 21:32:03 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 11 Oct 2024 22:32:03 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FTKoXK4J%2BryhHb0UP6VQjZsF23lhJq%2B8YV6VnRG0pxrYokE5ynp23cvBnq24N9%2F3GAJaNTAJTSu853Tjt0%2BAQWyZVtFv%2Fzx%2BwCnnqJi9IkG8OtlRZtpyU0gZborl3GVgZeK0h3%2BMW52mw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d11f5ea9fd36397-LHR
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.183.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.183.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------1f24b5b5fbb7e986
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 11 Oct 2024 21:32:33 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 11 Oct 2024 22:32:33 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=In8yMd4joVS6g6xnp0u4LFesy6mU97nxBHquIPlt6dcExD%2FFTUyxQH5VyNUpv1WhCPo5p1HF%2Bwog9yT03UG0IVi5QorqQzpL0P7DqWTP%2BkVPKh4pQWKWwWgzDxvjKt6GzdSnZJSW585slQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d11f6a71b8552d8-LHR
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------84424ca96a8dc773
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 11 Oct 2024 21:33:04 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 11 Oct 2024 22:33:04 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4QVDcbB7F3f4KYvpfpIPOugucDEFjS4eC6NUQgdk5JLnbOqxoxDS9y%2BHBLs4TfZAkkt7vt1z6dAVwMv%2Baa7jqUdfTpmucl7YyWsZSNcEm935tNgMwNOSuLsBaIOhOn%2FnHhhCyH%2BkO%2BvELg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d11f763a9e84969-LHR
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    88.5kB
    1.9kB
    72
    25

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    88.5kB
    1.9kB
    71
    27

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    88.4kB
    2.3kB
    70
    35

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    40.183.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    40.183.67.172.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-Sk4ieg2efzhJlKPQ.exe

    Filesize

    83KB

    MD5

    3fed4d2deb188796998512a99edd779b

    SHA1

    be7c03cae87a14a675541bc9f08647eff139dde3

    SHA256

    8a1e66b079009785dc753382e7292802e13d14256c5d4707cb20858158986b2b

    SHA512

    c8a8201eae51a603cc368f33bffd403ecf2073bbe7b51aec89ed329de07355730e7c45257966f059367c997c81d50995a24108ffd0bd82d25b640908dcef555e

  • memory/2992-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2992-2-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2992-15-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2992-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.