Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Anime-Figh...24.exe

windows7_x64

8

Anime-Figh...24.exe

windows7_x64

10

Anime-Figh...24.exe

windows7_x64

10

Anime-Figh...24.exe

windows7_x64

8

Anime-Figh...24.exe

windows11_x64

8

Anime-Figh...24.exe

windows10_x64

10

Anime-Figh...24.exe

windows10_x64

Anime-Figh...24.exe

windows10_x64

10

Anime-Figh...24.exe

windows10_x64

10

Anime-Figh...24.exe

windows10_x64

10

Resubmissions

02/09/2021, 19:12

210902-xwla1aeefq 10

02/09/2021, 19:09

210902-xtsbjabea9 8

Analysis

  • max time kernel
    65s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-jp
  • submitted
    02/09/2021, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anime-Fighters-Infin_734316524.exe

  • Size

    3.9MB

  • MD5

    bd2b73492acf20dec004360b1605032d

  • SHA1

    60ddf3c107d94bbeb102a2d7ede945eb5edd2b35

  • SHA256

    12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca

  • SHA512

    dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 19 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
    "C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\is-0G7EG.tmp\Anime-Fighters-Infin_734316524.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0G7EG.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$8015C,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Program Files (x86)\Vel\magnam\Expedita.exe
        "C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Users\Admin\AppData\Local\Temp\q5XC3eLZ\tQX8KOqP9O.exe
          C:\Users\Admin\AppData\Local\Temp\q5XC3eLZ\tQX8KOqP9O.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
          4⤵
          • Executes dropped EXE
          PID:1648
        • C:\Users\Admin\AppData\Local\Temp\CKUXqKGI\KCYg6pTj0.exe
          C:\Users\Admin\AppData\Local\Temp\CKUXqKGI\KCYg6pTj0.exe /qn CAMPAIGN="642"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\CKUXqKGI\KCYg6pTj0.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\CKUXqKGI\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630350882 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
            5⤵
              PID:1112
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 2E4D24B3B18C24DCC7DD15DB00F885C2 C
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1384
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 894E29D581178576C9D0913CB686A04F
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
          3⤵
          • Kills process with taskkill
          PID:1872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1092-90-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1364-71-0x00000000002F0000-0x00000000002F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1364-73-0x00000000051F0000-0x00000000051F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1364-70-0x0000000000400000-0x00000000019C2000-memory.dmp

      Filesize

      21.8MB

      Download

    • memory/1544-87-0x0000000000190000-0x000000000022D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1648-88-0x0000000000220000-0x0000000000268000-memory.dmp

      Filesize

      288KB

      Download

    • memory/1648-89-0x0000000000400000-0x0000000002B5E000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/1888-64-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1888-63-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1920-53-0x0000000076B51000-0x0000000076B53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1920-58-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download