Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

52088快�...��.url

windows7-x64

1

52088快�...��.url

windows10-2004-x64

1

wg.exe

windows7-x64

10

wg.exe

windows10-2004-x64

9

歪歪外�...��.url

windows7-x64

1

歪歪外�...��.url

windows10-2004-x64

1

炫舞邪�...�).exe

windows7-x64

10

炫舞邪�...�).exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wg.exe

  • Size

    2.4MB

  • MD5

    7c456017d18bcd67d119b1852e10ea9c

  • SHA1

    96fbe0db6d5730d5fda4cc3ee41c5b682a0ebb17

  • SHA256

    61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95

  • SHA512

    75f6e33dfc3ed694865710cf946789c2f1923bb70b6d8fe72f4ed0e32f315cb126350d7c1bd95d16d3f179b21d5b52583fb18e3ac4618a3a0bc42d32db7b178b

  • SSDEEP

    49152:6000irolqOGH78ChAaqBi2tSiDLz/FX/8zptVu25IkyjGY:f00i8qONCOaqBiqDLz/VUltk25Iky3

Score
10/10
jokeraspackv2evasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wg.exe
    "C:\Users\Admin\AppData\Local\Temp\wg.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\p.exe
      "C:\Users\Admin\AppData\Local\Temp\p.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\p.exe
        C:\Users\Admin\AppData\Local\Temp\p.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\WINDOWS\zoues\svchost.exe
          C:\WINDOWS\zoues\svchost.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Suspicious behavior: EnumeratesProcesses
          PID:688
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1020
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3848
    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
      "C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c51f1ae9cf151ddfb2da576b107ab9ef

    SHA1

    86e6709fa2b549ff147187974b08a0c17039705a

    SHA256

    6f805e6a58b03f99677358c997d25ee19a3690f07f1ffc18dff09a6c5c062006

    SHA512

    865fab54b4ec14027b66c2a12e62831fa1012a15ed3571d03a785aeb12fceef39c5e7725b867b072ea3ada0f520d8f7b82689d14e1d05095ed8a0ffeace6a921

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JQTFV152.txt
    Filesize

    608B

    MD5

    a23a6c5f5ec743f8b4e6c81d1213d979

    SHA1

    97eaf76d204eb2a0b98d70599d20c27d6cab8c51

    SHA256

    5cbe4b9ff2f658087682e6b80b9eeceabc2f075d8f905e69d2353407cdad2ad3

    SHA512

    3a25de23b1bc3d0acc5adc791f484c0f9effea35c8885a84dca70b80117bc7124f14ffb40684d44075288a0f4ca080cfa95d17b97595be2b9adf8ededc52d12d

    Download Submit

  • C:\Windows\zoues\svchost.exe
    Filesize

    33KB

    MD5

    b8299a947177ce0dc668af3ff05c46fa

    SHA1

    e82e614cffffbfc2ff2b0f3130abd495cbf76b44

    SHA256

    ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

    SHA512

    f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

    Download Submit

  • \??\c:\WINDOWS\Help\windowsz32.txt
    Filesize

    39B

    MD5

    be563affdf84703821ba6e23d9ed6de7

    SHA1

    5d6d472ddcec06861872e9bf7d18589c4b37e982

    SHA256

    32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

    SHA512

    18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • \Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • \Windows\SysWOW64\intel.dll
    Filesize

    142KB

    MD5

    5b6ae60afa76e99a591556ba5bdc0acb

    SHA1

    e3f12b7fe4337a55c9e859a5ceec95f749cf457b

    SHA256

    7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

    SHA512

    4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

    Download Submit

  • \Windows\SysWOW64\intel.dll
    Filesize

    142KB

    MD5

    5b6ae60afa76e99a591556ba5bdc0acb

    SHA1

    e3f12b7fe4337a55c9e859a5ceec95f749cf457b

    SHA256

    7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

    SHA512

    4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

    Download Submit

  • \Windows\zoues\svchost.exe
    Filesize

    33KB

    MD5

    b8299a947177ce0dc668af3ff05c46fa

    SHA1

    e82e614cffffbfc2ff2b0f3130abd495cbf76b44

    SHA256

    ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

    SHA512

    f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

    Download Submit

  • memory/564-88-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/564-79-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/564-81-0x00000000778E0000-0x0000000077A60000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/564-83-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/564-89-0x00000000778E0000-0x0000000077A60000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/816-78-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/816-86-0x0000000000620000-0x0000000000630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/816-71-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/816-69-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/816-97-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB

    Download

  • memory/992-76-0x0000000002AB0000-0x0000000002AF6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/992-77-0x0000000000400000-0x000000000066F123-memory.dmp

    Filesize

    2.4MB

    Download