Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

37903e1d9f...ec.exe

windows7-x64

10

37903e1d9f...ec.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    160s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe

  • Size

    740KB

  • MD5

    67ef6a3258121c5c085080180698a2e0

  • SHA1

    9ed5f1c51d5609b1b1402a41f2121676af9e5103

  • SHA256

    37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec

  • SHA512

    b66b367b6c12f195c6b32f665b5bb25d9af9ed96224444236031b5fd9d0306294415dab3f3a489cc63dc0bf5191862485e359f453ff804138b6eb9215e61f803

  • SSDEEP

    12288:+w80KZh/N1tcD1/OVQNvRtYuupRA9gN5UQXGcuWEw/+PxBTApHqxhyjY1NEAIvO+:+w80Kx1SR/Jb8T+QqWGcNXqxdApHYysU

Score
10/10
jokeradwareinfostealerpersistencestealertrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 12 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 57 IoCs
    adwarespyware
  • Modifies registry class 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe
    "C:\Users\Admin\AppData\Local\Temp\37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\winlans.exe
        winlans.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c regsvr32 /s Win32s.dll
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /s Win32s.dll
            5⤵
            • Loads dropped DLL
            • Modifies registry class
            PID:648
        • C:\Windows\SysWOW64\Nservies.exe
          Nservies.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c color 0a
            5⤵
              PID:600
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dwbase.com/tongji/count/count.asp?id=C6-F5-4D-74-98-C3&ver=1.0
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat""
          3⤵
            PID:1740
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
            __IRAOFF:500236 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe"
            3⤵
            • Executes dropped EXE
            PID:1120

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        60KB

        MD5

        d15aaa7c9be910a9898260767e2490e1

        SHA1

        2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

        SHA256

        f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

        SHA512

        7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8dce3faca44a5c20cfe3690d4f070835

        SHA1

        5b7a7660b4aad61aab0b4222ca8adf64e879a1a1

        SHA256

        fc102e62dac177ddfdea2123491bbc6333cdee98265763be24d0595b55dd1d6e

        SHA512

        250a6d0cbdbedfeb24a076c32a0a2975e50776244e71f6b14330b25a2c3b684f11f6dc7f848c23f2ad87e496f489e07651830cd05c99e28c86b8f9266b7614a6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a97c91aae862804ecb41dcb39494d837

        SHA1

        5abead588fde4acd9b0d2fc7f46884a93cfd0d6f

        SHA256

        625017a14815f43d279532a03c73f1a04ab4bfd8092737f8139122b5a0124355

        SHA512

        d047c8b643bb4d521966611ec503c101b2d074c972ae727e3ee7665697d16eb38ce4c7d4aa68db031c895dc217e209dddec0cc8e18070b5695164d47d360cf9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
        Filesize

        5KB

        MD5

        56376621805c4aa4f653f940a8e44e0d

        SHA1

        213d76b9d15282b7cbff278902c53e920fd4a795

        SHA256

        e185923d4f86b967fdeccc0f159f37c193d617b9fb18a4744cbccb562b77dcd7

        SHA512

        2a1961988bf2c3b05197083f83b7077541657cef57fc3a1108f100eef5fe9c42e2dcdad3266883baad147c3dc7fc825e97ca0110a7fa95b217280db1d4d124cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat
        Filesize

        156B

        MD5

        8beefa5eb3b1229ce594820a7bf26f13

        SHA1

        76503ae8c8e7ad6e4189e892ae39013d4d9caf0d

        SHA256

        7bffa1d2b8040cdf411d7c4d15be0a76826cd3c7e9d9b7a90f82649cff370e25

        SHA512

        e5afa41a29d45e4a155c05d744d7a5fd3ceca87f1a4010b83b12811b3c50ef75728c6058c59880ab1dd050b35e0bc3b78aafbb0cdcb70c2fed4117546cd542ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
        Filesize

        59KB

        MD5

        c0929836a21a2816ce47232f2816041b

        SHA1

        1a16faf63d2c08bbb019e8fb1524b8027b802b58

        SHA256

        e5817e9b0c41053150e2b98aa8cca4420545563604ddb82d4dfe56e5e2710307

        SHA512

        b5cc450f1c4add00557eb3c2bdc42e82ba15a05e98954103490c5ad32b274d729a04112354e2bb6eee2ec03070761285d1a3c0684ebfb01e04539270dd560fe8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
        Filesize

        59KB

        MD5

        c0929836a21a2816ce47232f2816041b

        SHA1

        1a16faf63d2c08bbb019e8fb1524b8027b802b58

        SHA256

        e5817e9b0c41053150e2b98aa8cca4420545563604ddb82d4dfe56e5e2710307

        SHA512

        b5cc450f1c4add00557eb3c2bdc42e82ba15a05e98954103490c5ad32b274d729a04112354e2bb6eee2ec03070761285d1a3c0684ebfb01e04539270dd560fe8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
        Filesize

        440KB

        MD5

        75ca7ff96bf5a316c3af2de6a412bd54

        SHA1

        0a093950790ff0dddff6f5f29c6b02c10997e0c5

        SHA256

        d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

        SHA512

        b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0BRMXSXN.txt
        Filesize

        608B

        MD5

        c2d6f03c1d5087bc01d0165ed803a918

        SHA1

        3f12903d40b52690931994489694007e4ca992a6

        SHA256

        f300e9b9f307e815965b9e5e485d667e851850456dbe2144a30d44905fc15158

        SHA512

        9c6075ba24741e31cf046bcf3f70a7ad8f4c9f5d01fd8e221f61b8f0403019a36f270d8ff3f5056e5a1494537d4d9a7b27f7b2f8947eb4f0588faab471c1dc51

        Download Submit

      • C:\Windows\SysWOW64\Nservies.exe
        Filesize

        180KB

        MD5

        485c6f3d322429e3d8b833d6c11c22af

        SHA1

        9e5ad792aca8c1f7ab9bec2bdd11699d499b3841

        SHA256

        da89f0b529e5fb472264412832b58c38dbd30ff8c44c99f8446aeaf43b083645

        SHA512

        2b7729d6db5324dee83cb7800d8cb6bc88ee00220e21f2e89620d7a9ee1a1b2e73c82db8294d91d21a30e07b8b719af59110268ad6eb5aeec72620ddfee7174f

        Download Submit

      • C:\Windows\SysWOW64\Win32s.dll
        Filesize

        36KB

        MD5

        fe241372298db7bd1d1583173ce7bdfc

        SHA1

        6929e7253798251125cebe12f4f3ac7d79ab85b0

        SHA256

        18b1178e59153ec35c22b743e61d7a29ab36731082e96d3ca94b9a46d866b5aa

        SHA512

        a559918c607d82231e7277b294041c2ff03c343c0144b332333a2981cdb55ab63e8eec55bb7108a4bb72377dc4ecc1ca3377087c6df4555535f88807ea37e1d5

        Download Submit

      • C:\Windows\SysWOW64\Winlans.exe
        Filesize

        248KB

        MD5

        1f628eb7e8d9be4fafad8c206ee31f84

        SHA1

        3936f7b6e1b70e656b91fa869ab4bbc8bad9a26c

        SHA256

        205e697a0ee6f675763c2cd3cd672568b923f74e81efc3584d8268a3c9b8e0b5

        SHA512

        b95c9361da95005c47c1c0d9084e505155747b945704667a81a1a7f9107bfbec139d150fece806e9cae7a06f2805234b7f76f7c2132b49f9c0b0f6c8216b9c5a

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
        Filesize

        644KB

        MD5

        b77cc3a61118ce5909a97fe98496dd9c

        SHA1

        72e7902317d13f5c9df4966e350b432459075f7f

        SHA256

        eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

        SHA512

        fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
        Filesize

        59KB

        MD5

        c0929836a21a2816ce47232f2816041b

        SHA1

        1a16faf63d2c08bbb019e8fb1524b8027b802b58

        SHA256

        e5817e9b0c41053150e2b98aa8cca4420545563604ddb82d4dfe56e5e2710307

        SHA512

        b5cc450f1c4add00557eb3c2bdc42e82ba15a05e98954103490c5ad32b274d729a04112354e2bb6eee2ec03070761285d1a3c0684ebfb01e04539270dd560fe8

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
        Filesize

        59KB

        MD5

        c0929836a21a2816ce47232f2816041b

        SHA1

        1a16faf63d2c08bbb019e8fb1524b8027b802b58

        SHA256

        e5817e9b0c41053150e2b98aa8cca4420545563604ddb82d4dfe56e5e2710307

        SHA512

        b5cc450f1c4add00557eb3c2bdc42e82ba15a05e98954103490c5ad32b274d729a04112354e2bb6eee2ec03070761285d1a3c0684ebfb01e04539270dd560fe8

        Download Submit

      • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
        Filesize

        440KB

        MD5

        75ca7ff96bf5a316c3af2de6a412bd54

        SHA1

        0a093950790ff0dddff6f5f29c6b02c10997e0c5

        SHA256

        d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

        SHA512

        b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

        Download Submit

      • \Windows\SysWOW64\Nservies.exe
        Filesize

        180KB

        MD5

        485c6f3d322429e3d8b833d6c11c22af

        SHA1

        9e5ad792aca8c1f7ab9bec2bdd11699d499b3841

        SHA256

        da89f0b529e5fb472264412832b58c38dbd30ff8c44c99f8446aeaf43b083645

        SHA512

        2b7729d6db5324dee83cb7800d8cb6bc88ee00220e21f2e89620d7a9ee1a1b2e73c82db8294d91d21a30e07b8b719af59110268ad6eb5aeec72620ddfee7174f

        Download Submit

      • \Windows\SysWOW64\Nservies.exe
        Filesize

        180KB

        MD5

        485c6f3d322429e3d8b833d6c11c22af

        SHA1

        9e5ad792aca8c1f7ab9bec2bdd11699d499b3841

        SHA256

        da89f0b529e5fb472264412832b58c38dbd30ff8c44c99f8446aeaf43b083645

        SHA512

        2b7729d6db5324dee83cb7800d8cb6bc88ee00220e21f2e89620d7a9ee1a1b2e73c82db8294d91d21a30e07b8b719af59110268ad6eb5aeec72620ddfee7174f

        Download Submit

      • \Windows\SysWOW64\Win32s.dll
        Filesize

        36KB

        MD5

        fe241372298db7bd1d1583173ce7bdfc

        SHA1

        6929e7253798251125cebe12f4f3ac7d79ab85b0

        SHA256

        18b1178e59153ec35c22b743e61d7a29ab36731082e96d3ca94b9a46d866b5aa

        SHA512

        a559918c607d82231e7277b294041c2ff03c343c0144b332333a2981cdb55ab63e8eec55bb7108a4bb72377dc4ecc1ca3377087c6df4555535f88807ea37e1d5

        Download Submit

      • \Windows\SysWOW64\Winlans.exe
        Filesize

        248KB

        MD5

        1f628eb7e8d9be4fafad8c206ee31f84

        SHA1

        3936f7b6e1b70e656b91fa869ab4bbc8bad9a26c

        SHA256

        205e697a0ee6f675763c2cd3cd672568b923f74e81efc3584d8268a3c9b8e0b5

        SHA512

        b95c9361da95005c47c1c0d9084e505155747b945704667a81a1a7f9107bfbec139d150fece806e9cae7a06f2805234b7f76f7c2132b49f9c0b0f6c8216b9c5a

        Download Submit

      • \Windows\SysWOW64\Winlans.exe
        Filesize

        248KB

        MD5

        1f628eb7e8d9be4fafad8c206ee31f84

        SHA1

        3936f7b6e1b70e656b91fa869ab4bbc8bad9a26c

        SHA256

        205e697a0ee6f675763c2cd3cd672568b923f74e81efc3584d8268a3c9b8e0b5

        SHA512

        b95c9361da95005c47c1c0d9084e505155747b945704667a81a1a7f9107bfbec139d150fece806e9cae7a06f2805234b7f76f7c2132b49f9c0b0f6c8216b9c5a

        Download Submit

      • memory/456-95-0x0000000002310000-0x0000000002437000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/456-97-0x0000000002310000-0x0000000002437000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1120-96-0x0000000000400000-0x0000000000527000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-54-0x0000000076171000-0x0000000076173000-memory.dmp

        Filesize

        8KB

        Download