Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

9d2567186d...8c.exe

windows7-x64

9

9d2567186d...8c.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe

  • Size

    2.6MB

  • MD5

    4bfaf4334b36db4e10e1c7e63a6889af

  • SHA1

    77b2ee9f7e39d548f42da877bda97bff83e9315e

  • SHA256

    9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c

  • SHA512

    4546dc9ba1180038c2f2015c0db1cbed07ac3a042010c2f232104b2e60c7f36614208fa648f7183da99a4c301a0cd9a721eecabd0ca3588c57aa465de312d8d9

  • SSDEEP

    49152:gfJ3tfIakU9sxt4jL148SgiQbEf1AnjxN3NIy0kbp0ik1LrhPm:gfJ9fRkU9sxtQOgPbaajxzIobp0iE

Score
9/10
evasionupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe
    "C:\Users\Admin\AppData\Local\Temp\9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://schftx.taobao.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:328
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.weishiwg.com/
      2⤵
        PID:1968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      3dcf580a93972319e82cafbc047d34d5

      SHA1

      8528d2a1363e5de77dc3b1142850e51ead0f4b6b

      SHA256

      40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

      SHA512

      98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      4173fbd5650225ad43b8e84f81ee1f9c

      SHA1

      f7d9550eb248ce0a31f70485605ae64d4e300d22

      SHA256

      0aee244fccffc477610f3026d1ddafa1b7bd718383b5503d95970468fe83e3f4

      SHA512

      d1cf605b078bd18345c16ea2fa214cdf6400c4173a1520202bde01bd7e3f86bbd9256dac2dce71ffb889b45bc704eff8422b0efdea905c938d7b0bc4f1fd7292

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5826ef2531a796f8e842917dbbff5dd1

      SHA1

      c561a92d6c3ed896a342b34bf0d7fe338a3130c9

      SHA256

      f6ac362eb612596a0207457fa4f5d874212870265b777df0254f45c679083b52

      SHA512

      4be751a680578598867bd5896f15ac42cf722cfc349abec4deea76adcbc2f96b41776b78dacb382819fa30c5fe2ad7299ea8f01fda1e79c7a7f402412f4ceb22

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
      Filesize

      20KB

      MD5

      a1afe1a56792e72582414fd65c95b8b0

      SHA1

      345a4296daf92764c321bf50434687d6ec3f72b2

      SHA256

      16e298d7b16be43e38813e03833fd55e6eb27380b0a431d77af82f2d5771cdb0

      SHA512

      ada169e8cf1b82e6374ed665249b6002be6ceb462941aeaa44325c95b58b32e8d1beb36a1534185192e459a94004200a67fd7fa663eef4f9ee318c62d95e97bc

      Download Submit

    • memory/1608-84-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-90-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-61-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-62-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-64-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-66-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-70-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-68-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-72-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-74-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-76-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-78-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-82-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-80-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-54-0x0000000000400000-0x0000000000A81000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1608-88-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-86-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-60-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-92-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-94-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-96-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-100-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-98-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-102-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-103-0x0000000000400000-0x0000000000A81000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1608-104-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-106-0x0000000000400000-0x0000000000A81000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1608-107-0x0000000000400000-0x0000000000A81000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1608-108-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-59-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-57-0x0000000010000000-0x000000001003D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1608-56-0x0000000077480000-0x0000000077600000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1608-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

      Filesize

      8KB

      Download