Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19/09/2022, 04:12
General
-
Target
炫舞邪少助手3.0.9-1.23A(心动增强).exe
-
Size
28KB
-
MD5
f3452d3085e3eedd20cf6b1565145224
-
SHA1
6c741a53e359015ddf5a4a431ac21d2bb5892dd7
-
SHA256
bfde8378737709f7652a1dc6036b958e1c9a067b74595a76f2a0c1a2048d009f
-
SHA512
65fbf8aa8f9a2a9c87e18fea0ce968910744f834da94f47d281dcc88788989b5fb704ccbb0be74f95b1473c5464bb3c8a97419fca9c6e5b43c3ff0d1746511db
-
SSDEEP
768:Ytjyjw5eEVPstTlzM+YnQozV2LFxU2HUs:8l5sHuQosXUIUs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 5 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\炫舞邪少助手3.0.9-1.23A(心动增强).exe"C:\Users\Admin\AppData\Local\Temp\炫舞邪少助手3.0.9-1.23A(心动增强).exe"1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wg.datC:\Users\Admin\AppData\Local\Temp\wg.dat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\p.exe"C:\Users\Admin\AppData\Local\Temp\p.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\p.exeC:\Users\Admin\AppData\Local\Temp\p.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\zoues\svchost.exeC:\WINDOWS\zoues\svchost.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2071.exe"C:\Users\Admin\AppData\Local\Temp\2071.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=20714⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 17524⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe"C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1wly.com/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87d4a46f8,0x7ff87d4a4708,0x7ff87d4a47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,10188891415035054036,5615342680629970203,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:85⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2344 -ip 23441⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD51520b1f0e8660cc8553264ce46871efd
SHA170c43f2c0b7599f782461590f8e1650a2df5dbfe
SHA2568bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e
SHA5126ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0
-
Filesize
404B
MD5775d1ccdca2686076ccdd07ba36ba7f7
SHA1e9b4999ae875053a1d097f6484adfe08ab488746
SHA256c6445cc73ea327d0921e94a58f826b36c4143c696e617713e6f6f9fe00219154
SHA512f8560ec2ed6bef4998624f5c6f037f304e45cad9390be27714b899ce57ea524ff038cd4fbfbaa887316c79c97d7f2838ae577f57e94e61ce9e55963a1ad8ad23
-
Filesize
114KB
MD56a3403a72b8efaecf87009a0cdf709c7
SHA14db26c3d0ef07c6107278b7583365fe47da6c03f
SHA2563f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d
SHA5124c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51
-
Filesize
114KB
MD56a3403a72b8efaecf87009a0cdf709c7
SHA14db26c3d0ef07c6107278b7583365fe47da6c03f
SHA2563f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d
SHA5124c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51
-
Filesize
33KB
MD5a97b8231899c20daa06ca80a3962c6f4
SHA18b739b51d895b5134ec308d394067b7b44696be1
SHA25604534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054
SHA51245ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127
-
Filesize
33KB
MD5a97b8231899c20daa06ca80a3962c6f4
SHA18b739b51d895b5134ec308d394067b7b44696be1
SHA25604534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054
SHA51245ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127
-
Filesize
33KB
MD5a97b8231899c20daa06ca80a3962c6f4
SHA18b739b51d895b5134ec308d394067b7b44696be1
SHA25604534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054
SHA51245ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127
-
Filesize
2.1MB
MD51ecd83f218fdfefa40d45cb2712ad43f
SHA105ffb62a400397d9f2006a6e960cfb78f830400a
SHA256556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f
SHA5125f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d
-
Filesize
2.1MB
MD51ecd83f218fdfefa40d45cb2712ad43f
SHA105ffb62a400397d9f2006a6e960cfb78f830400a
SHA256556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f
SHA5125f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d
-
Filesize
33KB
MD5b8299a947177ce0dc668af3ff05c46fa
SHA1e82e614cffffbfc2ff2b0f3130abd495cbf76b44
SHA256ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada
SHA512f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939
-
Filesize
142KB
MD55b6ae60afa76e99a591556ba5bdc0acb
SHA1e3f12b7fe4337a55c9e859a5ceec95f749cf457b
SHA2567a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378
SHA5124394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a
-
Filesize
33KB
MD5b8299a947177ce0dc668af3ff05c46fa
SHA1e82e614cffffbfc2ff2b0f3130abd495cbf76b44
SHA256ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada
SHA512f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939
-
Filesize
39B
MD5be563affdf84703821ba6e23d9ed6de7
SHA15d6d472ddcec06861872e9bf7d18589c4b37e982
SHA25632d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc
SHA51218e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
1.6MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1.6MB
-
Filesize
4.3MB
-
Filesize
1.6MB
-
Filesize
4.3MB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB