Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

BANK RECEIPT.exe

windows7-x64

10

BANK RECEIPT.exe

windows10-2004-x64

7

$PLUGINSDI...ud.dll

windows7-x64

10

$PLUGINSDI...ud.dll

windows10-2004-x64

10

PO.exe

windows7-x64

10

PO.exe

windows10-2004-x64

7

$PLUGINSDI...1h.dll

windows7-x64

10

$PLUGINSDI...1h.dll

windows10-2004-x64

10

STATEMENT ...NT.exe

windows7-x64

10

STATEMENT ...NT.exe

windows10-2004-x64

7

$PLUGINSDI...w4.dll

windows7-x64

10

$PLUGINSDI...w4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 17:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BANK RECEIPT.exe

  • Size

    280KB

  • MD5

    6317a0b98ebd6f0ba716fc1b73b4bf31

  • SHA1

    6f593ad2588b2ca2e561f0b47c9654df9fd95932

  • SHA256

    a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

  • SHA512

    e29265b8cc385be1c86751dd04dd2a70d727e8e298cd0d0ca250c2c6515c8d1c189511c564de11cf9c3c85d3efed1e23f7ad4b91bcca156b6b7c4341195f449a

  • SSDEEP

    6144:7PXvBKWuizHoEVrwSNvxsjZ+3Dd4ECaGbz3cA+A0MQ01:tKWNVrHNv2lM3yZ+Wf

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
    "C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
      "C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
      2⤵
        PID:940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 988
        2⤵
        • Program crash
        PID:5076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
      1⤵
        PID:4768

      Network

      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        181.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        181.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.129.81.91.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
        Response
        92.12.20.2.in-addr.arpa
        IN PTR
        a2-20-12-92deploystaticakamaitechnologiescom
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        133.130.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.130.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      No results found
      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        181.129.81.91.in-addr.arpa
        dns
        144 B
         147 B
         2
        1

        DNS Request

        181.129.81.91.in-addr.arpa

        DNS Request

        181.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        144 B
         146 B
         2
        1

        DNS Request

        212.20.149.52.in-addr.arpa

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        92.12.20.2.in-addr.arpa
        dns
        276 B
         131 B
         4
        1

        DNS Request

        92.12.20.2.in-addr.arpa

        DNS Request

        92.12.20.2.in-addr.arpa

        DNS Request

        92.12.20.2.in-addr.arpa

        DNS Request

        92.12.20.2.in-addr.arpa

      • 8.8.8.8:53
        133.130.81.91.in-addr.arpa
        dns
        72 B
         147 B
         1
        1

        DNS Request

        133.130.81.91.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsp6C39.tmp\2g6ght2plrugud.dll
        Filesize

        5KB

        MD5

        64ade443342d3aa3790c2846abf93959

        SHA1

        d6668f6881d40dc3dc3d1f627f2721e1d333e698

        SHA256

        ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45

        SHA512

        2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845

        Download Submit

      • memory/3248-7-0x0000000002440000-0x0000000002442000-memory.dmp

        Filesize

        8KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.