Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

4b8bc86b3b...6b.exe

windows7-x64

10

4b8bc86b3b...6b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe

  • Size

    1.8MB

  • MD5

    5017e4642ffb6fed42235d37fab16273

  • SHA1

    91a00dfa17737092c79cce3002f6d428c4b47ed2

  • SHA256

    4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b

  • SHA512

    71dcb7efee14707a70e32c11d40b798b8a70f17b81548b52f67213bf2767d1d6deba570ef9b2668bc26c362964c9f5364af8ad88593e6d001627a0f83e28e058

  • SSDEEP

    49152:GZp4kJNahggTdaVS8wzZrhyL7Y6Xl55PA8DXl5IkyjGY:GZ+gMhfdaVS8otyw6r5PpDV5Iky3

Score
9/10
aspackv2evasionpersistence

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\p.exe
      "C:\Users\Admin\AppData\Local\Temp\p.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\p.exe
        C:\Users\Admin\AppData\Local\Temp\p.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\WINDOWS\zoues\svchost.exe
          C:\WINDOWS\zoues\svchost.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4860
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1020
        3⤵
        • Program crash
        PID:1640
    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
      "C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1wly.com/
        3⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8a99e46f8,0x7ff8a99e4708,0x7ff8a99e4718
          4⤵
            PID:1444
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
            4⤵
              PID:4664
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2064
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
              4⤵
                PID:2708
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                4⤵
                  PID:4940
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                  4⤵
                    PID:3780
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 /prefetch:8
                    4⤵
                      PID:3560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8391446175238069640,9064921414098204311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5176 /prefetch:2
                      4⤵
                        PID:4972
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 668 -ip 668
                  1⤵
                    PID:3428
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:4804

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                      Filesize

                      471B

                      MD5

                      1520b1f0e8660cc8553264ce46871efd

                      SHA1

                      70c43f2c0b7599f782461590f8e1650a2df5dbfe

                      SHA256

                      8bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e

                      SHA512

                      6ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                      Filesize

                      404B

                      MD5

                      18b71fb0690d9602346357e453648525

                      SHA1

                      f27e81ea61940724cbdd1c9b3615322bd7661b09

                      SHA256

                      92b363f4727365b024a2d82dec17bb9b1e1214896bc95fa09f35dbb6dc125815

                      SHA512

                      0e906c2784078427ebf72870cc85799c195d5127823b6de21e90e43206a87e23920685d81bb6dd3054656fbddf2cfef8efcc81fcbf2706e906e82983bb13396e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2071.exe
                      Filesize

                      114KB

                      MD5

                      6a3403a72b8efaecf87009a0cdf709c7

                      SHA1

                      4db26c3d0ef07c6107278b7583365fe47da6c03f

                      SHA256

                      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

                      SHA512

                      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2071.exe
                      Filesize

                      114KB

                      MD5

                      6a3403a72b8efaecf87009a0cdf709c7

                      SHA1

                      4db26c3d0ef07c6107278b7583365fe47da6c03f

                      SHA256

                      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

                      SHA512

                      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
                      Filesize

                      1.6MB

                      MD5

                      1fbf2178409a4f816be8f766288e7439

                      SHA1

                      05800a7052e6196a704b71e252d3a639bd306724

                      SHA256

                      a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

                      SHA512

                      f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
                      Filesize

                      1.6MB

                      MD5

                      1fbf2178409a4f816be8f766288e7439

                      SHA1

                      05800a7052e6196a704b71e252d3a639bd306724

                      SHA256

                      a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

                      SHA512

                      f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

                      Download Submit

                    • C:\WINDOWS\zoues\svchost.exe
                      Filesize

                      33KB

                      MD5

                      b8299a947177ce0dc668af3ff05c46fa

                      SHA1

                      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

                      SHA256

                      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

                      SHA512

                      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

                      Download Submit

                    • C:\Windows\SysWOW64\intel.dll
                      Filesize

                      142KB

                      MD5

                      5b6ae60afa76e99a591556ba5bdc0acb

                      SHA1

                      e3f12b7fe4337a55c9e859a5ceec95f749cf457b

                      SHA256

                      7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

                      SHA512

                      4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

                      Download Submit

                    • C:\Windows\zoues\svchost.exe
                      Filesize

                      33KB

                      MD5

                      b8299a947177ce0dc668af3ff05c46fa

                      SHA1

                      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

                      SHA256

                      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

                      SHA512

                      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

                      Download Submit

                    • \??\c:\WINDOWS\Help\windowsz32.txt
                      Filesize

                      39B

                      MD5

                      be563affdf84703821ba6e23d9ed6de7

                      SHA1

                      5d6d472ddcec06861872e9bf7d18589c4b37e982

                      SHA256

                      32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

                      SHA512

                      18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

                      Download Submit

                    • memory/668-148-0x00000000009E0000-0x0000000000A26000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/668-161-0x00000000009E0000-0x0000000000A26000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/668-140-0x00000000009E0000-0x0000000000A26000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/668-139-0x00000000009E0000-0x0000000000A26000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/4852-132-0x0000000000400000-0x00000000005C8B3B-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/4852-146-0x0000000000400000-0x00000000005C8B3B-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/4888-158-0x0000000000400000-0x00000000007A2000-memory.dmp

                      Filesize

                      3.6MB

                      Download

                    • memory/4888-157-0x0000000077270000-0x0000000077413000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/4888-156-0x0000000000400000-0x00000000007A2000-memory.dmp

                      Filesize

                      3.6MB

                      Download

                    • memory/4888-168-0x0000000000400000-0x00000000007A2000-memory.dmp

                      Filesize

                      3.6MB

                      Download

                    • memory/4888-169-0x0000000077270000-0x0000000077413000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/4888-154-0x0000000000400000-0x00000000007A2000-memory.dmp

                      Filesize

                      3.6MB

                      Download

                    • memory/4888-153-0x0000000077270000-0x0000000077413000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/4888-149-0x0000000000400000-0x00000000007A2000-memory.dmp

                      Filesize

                      3.6MB

                      Download