Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 19:10 UTC

General

  • Target

    f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe

  • Size

    748KB

  • MD5

    5152b43ac6e49caf199a1de7cf0bc960

  • SHA1

    24b71e505a7393d79c19bc80337a791f217fc35a

  • SHA256

    f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1

  • SHA512

    e1357319f225e95c32cd526285ac9b22b0f625a05e7c166b10f4261fae6351c5e455d700c4b9ff20fa63beba658d68b461af911f376961cd20f893be928f4667

  • SSDEEP

    12288:q6f13oK/cDVrSs0SYnIuJ1sIugOGxu5ejMuHLO36eQoqkkT2fP4VD:q6ftojDBeSYnIezZtuGMuHGcT2

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
    "C:\Users\Admin\AppData\Local\Temp\f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Users\Admin\AppData\Local\Temp\f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      "C:\Users\Admin\AppData\Local\Temp\f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe" Admin
      2⤵
      • Enumerates connected drives
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4964
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3908

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      info.178stu.com
      f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      Remote address:
      8.8.8.8:53
      Request
      info.178stu.com
      IN A
      Response
      info.178stu.com
      IN A
      103.133.93.52
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.190.18.2.in-addr.arpa
      IN PTR
      Response
      73.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.112.168.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.112.168.52.in-addr.arpa
      IN PTR
      Response
    • 1.15.12.73:4567
      f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      52 B
      1
    • 1.15.12.73:4567
      f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      260 B
      5
    • 103.133.93.52:80
      info.178stu.com
      f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      260 B
      5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      info.178stu.com
      dns
      f1cb1bc022b7b261163dc47a73f62ba5f34a58688e3316ac4d27aafcf1088ad1.exe
      61 B
      77 B
      1
      1

      DNS Request

      info.178stu.com

      DNS Response

      103.133.93.52

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      73.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      67.112.168.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      67.112.168.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3096-12-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/3096-2-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/3096-1-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/3096-5-0x0000000000760000-0x0000000000761000-memory.dmp

      Filesize

      4KB

    • memory/3096-6-0x0000000000760000-0x0000000000761000-memory.dmp

      Filesize

      4KB

    • memory/3096-3-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/3096-4-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/3096-7-0x0000000000840000-0x0000000000841000-memory.dmp

      Filesize

      4KB

    • memory/3096-0-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-11-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-10-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-13-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-14-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-16-0x0000000000680000-0x0000000000681000-memory.dmp

      Filesize

      4KB

    • memory/4964-17-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-20-0x0000000000400000-0x00000000005EC000-memory.dmp

      Filesize

      1.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.