Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 17:26 UTC
Behavioral task
behavioral1
Sample
2025-01-31_863ffc1233423a9eb12789bfa79188b6_backswap_karagany_mafia.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-31_863ffc1233423a9eb12789bfa79188b6_backswap_karagany_mafia.exe
Resource
win10v2004-20250129-en
General
-
Target
2025-01-31_863ffc1233423a9eb12789bfa79188b6_backswap_karagany_mafia.exe
-
Size
15.6MB
-
MD5
863ffc1233423a9eb12789bfa79188b6
-
SHA1
9181018cd4993da3deae90dbc23d6a72817c01df
-
SHA256
303e22f70056b457fc98c136dbe527f1dc5c9845c472a460271a33ff006abe92
-
SHA512
b5b925f6664f836f1ca8adc89c3a1cb1b8c4bd43816c033d0a53c26385a4d88734a05bf5cfcee1074f2fac353948e9e7f089cecd0d41d3d51d1075314bd892a9
-
SSDEEP
196608:ZvDllryzPpCLka9+6Y7SOEibgRavDllryzPpCLbA11isVFE:ZvDllryzPpekFgRavDllryzPpebA1tI
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-31_863ffc1233423a9eb12789bfa79188b6_backswap_karagany_mafia.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1AD379B7C72C62143EA36C32C6B36341; domain=.bing.com; expires=Wed, 25-Feb-2026 17:26:44 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B7954270E27440396CD608605B1FDD1 Ref B: LON601060103052 Ref C: 2025-01-31T17:26:44Z
date: Fri, 31 Jan 2025 17:26:43 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1AD379B7C72C62143EA36C32C6B36341
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=ndom4SwKQARPi4k2N8n1K83VB9cUEET5m741h7KGfBI; domain=.bing.com; expires=Wed, 25-Feb-2026 17:26:44 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F3F9BFE494704F548BD294C98BB19EF2 Ref B: LON601060103052 Ref C: 2025-01-31T17:26:44Z
date: Fri, 31 Jan 2025 17:26:44 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1AD379B7C72C62143EA36C32C6B36341; MSPTC=ndom4SwKQARPi4k2N8n1K83VB9cUEET5m741h7KGfBI
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B88F16283C434F73AEA909FEC9CFE01E Ref B: LON601060103052 Ref C: 2025-01-31T17:26:44Z
date: Fri, 31 Jan 2025 17:26:44 GMT
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request66.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request70.252.19.2.in-addr.arpaIN PTRResponse70.252.19.2.in-addr.arpaIN PTRa2-19-252-70deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request181.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=tls, http22.3kB 9.7kB 24 20
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=db4f4f043a6942a3a1fdab65b84b97a4&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=HTTP Response
204
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
66.160.190.20.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
57.169.31.20.in-addr.arpa
DNS Request
57.169.31.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
70.252.19.2.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
181.129.81.91.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa