Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    25s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10 UTC

General

  • Target

    4255dacb3601f46615055d9d23a538cd.exe

  • Size

    43KB

  • MD5

    4255dacb3601f46615055d9d23a538cd

  • SHA1

    ec34d0c3dc3116f32eee59fc6b84ea0be8030529

  • SHA256

    47dacc41ba9109e87ed4b26564fd6c20b4dfd7c457d0b5b2a32bf45b132da3df

  • SHA512

    084feb9bf61e3641ade20c5c2c2049ec5d4ba1ce85ed5dcbd16c16b4d2dda1c15bdc86ba5ecf86d54676dd5efbe12c147e1e5dba87d29df64aba11a640b15505

  • SSDEEP

    384:eZyDwNU1SoycwJmz0ZmhYYNE4OmMbycXzRpO9D9O5UE5QzwBlpJNakkjh/TzF7p0:kXqglcwJZQE/RycX3vQO+dK+L

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4255dacb3601f46615055d9d23a538cd.exe
    "C:\Users\Admin\AppData\Local\Temp\4255dacb3601f46615055d9d23a538cd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:5360
    • C:\Users\Admin\AppData\Roaming\appdate.exe
      "C:\Users\Admin\AppData\Roaming\appdate.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4948
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    C:\Users\Admin\AppData\Local\Temp/Server.exe
    1⤵
      PID:4784
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      1⤵
        PID:5300

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.ax-0001.ax-msedge.net
        g-bing-com.ax-0001.ax-msedge.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
        Remote address:
        150.171.28.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288; domain=.bing.com; expires=Thu, 16-Apr-2026 06:17:00 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 378105AB0BDB4E3A8DF8DC0C29AABBC6 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
        date: Sat, 22 Mar 2025 06:16:59 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
        Remote address:
        150.171.28.10:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=hiUaEJjG_KFx_mbSzwhfYvH5ntEwcT7G4XPmUdDUeAw; domain=.bing.com; expires=Thu, 16-Apr-2026 06:17:00 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 58760F9CA8614CD1A64629F545E2A504 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
        date: Sat, 22 Mar 2025 06:16:59 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
        Remote address:
        150.171.28.10:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288; MSPTC=hiUaEJjG_KFx_mbSzwhfYvH5ntEwcT7G4XPmUdDUeAw
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 4D8388DF4DCA4079BDA1A3404EC824C3 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
        date: Sat, 22 Mar 2025 06:16:59 GMT
      • flag-us
        DNS
        3bada.ddns.net
        Remote address:
        8.8.8.8:53
        Request
        3bada.ddns.net
        IN A
        Response
        3bada.ddns.net
        IN A
        41.238.181.69
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
      • flag-us
        DNS
        c.pki.goog
        Remote address:
        8.8.8.8:53
        Request
        c.pki.goog
        IN A
        Response
        c.pki.goog
        IN CNAME
        pki-goog.l.google.com
        pki-goog.l.google.com
        IN A
        142.250.180.3
      • flag-gb
        GET
        http://c.pki.goog/r/r1.crl
        Remote address:
        142.250.180.3:80
        Request
        GET /r/r1.crl HTTP/1.1
        Cache-Control: max-age = 3000
        Connection: Keep-Alive
        Accept: */*
        If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
        User-Agent: Microsoft-CryptoAPI/10.0
        Host: c.pki.goog
        Response
        HTTP/1.1 304 Not Modified
        Date: Sat, 22 Mar 2025 05:59:32 GMT
        Expires: Sat, 22 Mar 2025 06:49:32 GMT
        Age: 1099
        Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
        Cache-Control: public, max-age=3000
        Vary: Accept-Encoding
      • flag-us
        DNS
        3bada.ddns.net
        Remote address:
        8.8.8.8:53
        Request
        3bada.ddns.net
        IN A
        Response
        3bada.ddns.net
        IN A
        41.238.181.69
      • 150.171.28.10:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
        tls, http2
        2.1kB
        11.0kB
        24
        21

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

        HTTP Response

        204
      • 41.238.181.69:5552
        3bada.ddns.net
        260 B
        5
      • 41.238.181.69:5552
        3bada.ddns.net
        260 B
        5
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls
        1.1kB
        6.8kB
        13
        10
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls
        140.3kB
        4.1MB
        2988
        2978
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls
        1.4kB
        6.8kB
        15
        10
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls
        1.1kB
        6.8kB
        13
        10
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls
        1.1kB
        6.9kB
        13
        11
      • 142.250.180.3:80
        http://c.pki.goog/r/r1.crl
        http
        476 B
        395 B
        6
        4

        HTTP Request

        GET http://c.pki.goog/r/r1.crl

        HTTP Response

        304
      • 41.238.181.69:5552
        3bada.ddns.net
        260 B
        5
      • 41.238.181.69:5552
        3bada.ddns.net
        260 B
        5
      • 41.238.181.69:5552
        3bada.ddns.net
        260 B
        5
      • 41.238.181.69:5552
        3bada.ddns.net
        208 B
        4
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        148 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        150.171.28.10
        150.171.27.10

      • 8.8.8.8:53
        3bada.ddns.net
        dns
        60 B
        76 B
        1
        1

        DNS Request

        3bada.ddns.net

        DNS Response

        41.238.181.69

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        170 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        150.171.27.10
        150.171.28.10

      • 8.8.8.8:53
        c.pki.goog
        dns
        56 B
        107 B
        1
        1

        DNS Request

        c.pki.goog

        DNS Response

        142.250.180.3

      • 8.8.8.8:53
        3bada.ddns.net
        dns
        60 B
        76 B
        1
        1

        DNS Request

        3bada.ddns.net

        DNS Response

        41.238.181.69

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

        Filesize

        408B

        MD5

        42157868488d3ef98c00e3fa12f064be

        SHA1

        aad391be9ac3f6ce1ced49583690486a5f4186fb

        SHA256

        b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

        SHA512

        8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

      • C:\Users\Admin\AppData\Roaming\appdate.exe

        Filesize

        43KB

        MD5

        4255dacb3601f46615055d9d23a538cd

        SHA1

        ec34d0c3dc3116f32eee59fc6b84ea0be8030529

        SHA256

        47dacc41ba9109e87ed4b26564fd6c20b4dfd7c457d0b5b2a32bf45b132da3df

        SHA512

        084feb9bf61e3641ade20c5c2c2049ec5d4ba1ce85ed5dcbd16c16b4d2dda1c15bdc86ba5ecf86d54676dd5efbe12c147e1e5dba87d29df64aba11a640b15505

      • memory/528-13-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/528-18-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/528-15-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/528-14-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/4784-22-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/4784-21-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/4784-23-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/4784-25-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/5360-12-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/5360-2-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      • memory/5360-0-0x0000000075162000-0x0000000075163000-memory.dmp

        Filesize

        4KB

      • memory/5360-1-0x0000000075160000-0x0000000075711000-memory.dmp

        Filesize

        5.7MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.