Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d1e47440f3...1N.exe

windows7-x64

10

d1e47440f3...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 06:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe

  • Size

    2.5MB

  • MD5

    187b9b21317fc31a90a5b804102e15b0

  • SHA1

    c99f09128e405dd75bf218e80c048c613ef90359

  • SHA256

    d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051

  • SHA512

    d75fe63e440260c701fecb500e2f8f62e97207f31610d6a93b28fa0f33a0df9d80c665c1e86692933862cb1ecc4979f48aa643b0ad95aa484d6822a24bd44434

  • SSDEEP

    49152:q2daHSl4E1Kn2w719v6ODWb2h7dk2YCRq7fjN8QC7a0N9esKsJIV4:P1K2Vio2h7G2YCRq7h5C7aHs7o

Score
10/10
latrodectusloader

Malware Config

Extracted

Family

latrodectus

C2

https://proliforetka.com/test/

https://dogirafer.com/test/

Signatures

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe
    "C:\Users\Admin\AppData\Local\Temp\d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe"
    1⤵
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.exe
      "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.exe"
      2⤵
      • Executes dropped EXE
      PID:5088

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    148 B
     128 B
     2
    1

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.exe
    Filesize

    2.5MB

    MD5

    187b9b21317fc31a90a5b804102e15b0

    SHA1

    c99f09128e405dd75bf218e80c048c613ef90359

    SHA256

    d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051

    SHA512

    d75fe63e440260c701fecb500e2f8f62e97207f31610d6a93b28fa0f33a0df9d80c665c1e86692933862cb1ecc4979f48aa643b0ad95aa484d6822a24bd44434

    Download Submit

  • memory/1056-0-0x0000000140000000-0x0000000141CB2000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/1056-4-0x0000021CBA8F0000-0x0000021CBC5A0000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/1056-11-0x00007FF713DD0000-0x00007FF714061000-memory.dmp

    Filesize

    2.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.