Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

52088快�...��.url

windows7-x64

1

52088快�...��.url

windows10-2004-x64

1

wg.exe

windows7-x64

10

wg.exe

windows10-2004-x64

9

歪歪外�...��.url

windows7-x64

1

歪歪外�...��.url

windows10-2004-x64

1

炫舞邪�...�).exe

windows7-x64

10

炫舞邪�...�).exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wg.exe

  • Size

    2.4MB

  • MD5

    7c456017d18bcd67d119b1852e10ea9c

  • SHA1

    96fbe0db6d5730d5fda4cc3ee41c5b682a0ebb17

  • SHA256

    61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95

  • SHA512

    75f6e33dfc3ed694865710cf946789c2f1923bb70b6d8fe72f4ed0e32f315cb126350d7c1bd95d16d3f179b21d5b52583fb18e3ac4618a3a0bc42d32db7b178b

  • SSDEEP

    49152:6000irolqOGH78ChAaqBi2tSiDLz/FX/8zptVu25IkyjGY:f00i8qONCOaqBiqDLz/VUltk25Iky3

Score
9/10
aspackv2evasionpersistence

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wg.exe
    "C:\Users\Admin\AppData\Local\Temp\wg.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Local\Temp\p.exe
      "C:\Users\Admin\AppData\Local\Temp\p.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Users\Admin\AppData\Local\Temp\p.exe
        C:\Users\Admin\AppData\Local\Temp\p.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\WINDOWS\zoues\svchost.exe
          C:\WINDOWS\zoues\svchost.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Suspicious behavior: EnumeratesProcesses
          PID:340
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1768
        3⤵
        • Program crash
        PID:3288
    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
      "C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1wly.com/
        3⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd425d46f8,0x7ffd425d4708,0x7ffd425d4718
          4⤵
            PID:1840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
            4⤵
              PID:2776
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3980
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
              4⤵
                PID:1608
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
                4⤵
                  PID:332
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
                  4⤵
                    PID:1964
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 /prefetch:8
                    4⤵
                      PID:4188
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10783126940112977348,11899786307668791556,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5260 /prefetch:2
                      4⤵
                        PID:3700
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3824
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1520 -ip 1520
                    1⤵
                      PID:508

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\2071.exe
                      Filesize

                      114KB

                      MD5

                      6a3403a72b8efaecf87009a0cdf709c7

                      SHA1

                      4db26c3d0ef07c6107278b7583365fe47da6c03f

                      SHA256

                      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

                      SHA512

                      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2071.exe
                      Filesize

                      114KB

                      MD5

                      6a3403a72b8efaecf87009a0cdf709c7

                      SHA1

                      4db26c3d0ef07c6107278b7583365fe47da6c03f

                      SHA256

                      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

                      SHA512

                      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\p.exe
                      Filesize

                      33KB

                      MD5

                      a97b8231899c20daa06ca80a3962c6f4

                      SHA1

                      8b739b51d895b5134ec308d394067b7b44696be1

                      SHA256

                      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

                      SHA512

                      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
                      Filesize

                      2.1MB

                      MD5

                      1ecd83f218fdfefa40d45cb2712ad43f

                      SHA1

                      05ffb62a400397d9f2006a6e960cfb78f830400a

                      SHA256

                      556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

                      SHA512

                      5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
                      Filesize

                      2.1MB

                      MD5

                      1ecd83f218fdfefa40d45cb2712ad43f

                      SHA1

                      05ffb62a400397d9f2006a6e960cfb78f830400a

                      SHA256

                      556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

                      SHA512

                      5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

                      Download Submit

                    • C:\WINDOWS\zoues\svchost.exe
                      Filesize

                      33KB

                      MD5

                      b8299a947177ce0dc668af3ff05c46fa

                      SHA1

                      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

                      SHA256

                      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

                      SHA512

                      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

                      Download Submit

                    • C:\Windows\SysWOW64\intel.dll
                      Filesize

                      142KB

                      MD5

                      5b6ae60afa76e99a591556ba5bdc0acb

                      SHA1

                      e3f12b7fe4337a55c9e859a5ceec95f749cf457b

                      SHA256

                      7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

                      SHA512

                      4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

                      Download Submit

                    • C:\Windows\zoues\svchost.exe
                      Filesize

                      33KB

                      MD5

                      b8299a947177ce0dc668af3ff05c46fa

                      SHA1

                      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

                      SHA256

                      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

                      SHA512

                      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

                      Download Submit

                    • \??\c:\WINDOWS\Help\windowsz32.txt
                      Filesize

                      39B

                      MD5

                      be563affdf84703821ba6e23d9ed6de7

                      SHA1

                      5d6d472ddcec06861872e9bf7d18589c4b37e982

                      SHA256

                      32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

                      SHA512

                      18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

                      Download Submit

                    • memory/1520-141-0x0000000000F80000-0x0000000000FC6000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/1520-142-0x0000000000F80000-0x0000000000FC6000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/1520-175-0x0000000000F80000-0x0000000000FC6000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/1520-151-0x0000000000F80000-0x0000000000FC6000-memory.dmp

                      Filesize

                      280KB

                      Download

                    • memory/1600-150-0x0000000000400000-0x000000000066F123-memory.dmp

                      Filesize

                      2.4MB

                      Download

                    • memory/1600-132-0x0000000000400000-0x000000000066F123-memory.dmp

                      Filesize

                      2.4MB

                      Download

                    • memory/4756-152-0x0000000000400000-0x0000000000856000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/4756-162-0x00000000775B0000-0x0000000077753000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/4756-161-0x0000000000400000-0x0000000000856000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/4756-158-0x0000000000400000-0x0000000000856000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/4756-157-0x00000000775B0000-0x0000000077753000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/4756-156-0x0000000000400000-0x0000000000856000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/4756-154-0x0000000000400000-0x0000000000856000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/4756-153-0x00000000775B0000-0x0000000077753000-memory.dmp

                      Filesize

                      1.6MB

                      Download