Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
807-30 B �... B.exe
windows7-x64
807-30 B �... B.exe
windows10-2004-x64
807-30 B �...ne.exe
windows7-x64
807-30 B �...ne.exe
windows10-2004-x64
807-30 B �...��.bat
windows7-x64
807-30 B �...��.bat
windows10-2004-x64
8@创e下�...��.url
windows7-x64
1@创e下�...��.url
windows10-2004-x64
1安卓手�...��.url
windows7-x64
1安卓手�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
152s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 01:42
Behavioral task
behavioral1
Sample
07-30 B 周年稳定版)/DNF飞机 07-30 B.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
07-30 B 周年稳定版)/DNF飞机 07-30 B.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
07-30 B 周年稳定版)/Theplane.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral4
Sample
07-30 B 周年稳定版)/Theplane.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral5
Sample
07-30 B 周年稳定版)/打不开飞机-点击我启动飞机.bat
Resource
win7-20221111-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral6
Sample
07-30 B 周年稳定版)/打不开飞机-点击我启动飞机.bat
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral7
Sample
@创e下载┆9年绿色无弹窗安全.url
Resource
win7-20221111-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
@创e下载┆9年绿色无弹窗安全.url
Resource
win10v2004-20221111-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
安卓手机版本下载.url
Resource
win7-20221111-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
安卓手机版本下载.url
Resource
win10v2004-20221111-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
07-30 B 周年稳定版)/Theplane.exe
-
Size
2.3MB
-
MD5
1ec395eef7d5cc1833c121532f0e232b
-
SHA1
18d326d98189b324bf86b0683d54a3c3100d0e48
-
SHA256
acf1ac838ea940bccc84277a76fd8dbecc0e21bcae5140fe1782e11be2165f24
-
SHA512
6621f98ca4ff338027fa9dd0cf4227fcafe84f0e2b3adbea35abb896fcfa4054b83e1273e603d31ed979dfb4837a5b8adfcc84b8326ec70d502d85a3673183ad
-
SSDEEP
24576:FQLf4Xvi7/RS7gndLR3IKOCKfJunXKo9yHSAzIZq8y4D3plQ21myoSlxRgVec/MT:FeXsqxLfQ2Ayokgf8veJmb
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/1660-132-0x0000000002AB0000-0x0000000002B22000-memory.dmp upx behavioral4/memory/1660-133-0x0000000002AB0000-0x0000000002B22000-memory.dmp upx behavioral4/memory/1660-134-0x0000000002AB0000-0x0000000002B22000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3200 msedge.exe 3200 msedge.exe 3200 msedge.exe 3200 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe Token: 33 1660 Theplane.exe Token: SeIncBasePriorityPrivilege 1660 Theplane.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3200 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe 1660 Theplane.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3200 1660 Theplane.exe 90 PID 1660 wrote to memory of 3200 1660 Theplane.exe 90 PID 3200 wrote to memory of 3444 3200 msedge.exe 91 PID 3200 wrote to memory of 3444 3200 msedge.exe 91 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1568 3200 msedge.exe 92 PID 3200 wrote to memory of 1928 3200 msedge.exe 93 PID 3200 wrote to memory of 1928 3200 msedge.exe 93 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94 PID 3200 wrote to memory of 3088 3200 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exe"C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dnffeiji.com/dc.html2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7ffb753d46f8,0x7ffb753d4708,0x7ffb753d47183⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:33⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:83⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:13⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:13⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:13⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2238213530209937905,16710028140945733591,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:13⤵PID:2704
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5076