Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
807-30 B �... B.exe
windows7-x64
807-30 B �... B.exe
windows10-2004-x64
807-30 B �...ne.exe
windows7-x64
807-30 B �...ne.exe
windows10-2004-x64
807-30 B �...��.bat
windows7-x64
807-30 B �...��.bat
windows10-2004-x64
8@创e下�...��.url
windows7-x64
1@创e下�...��.url
windows10-2004-x64
1安卓手�...��.url
windows7-x64
1安卓手�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
152s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 01:42
Behavioral task
behavioral1
Sample
07-30 B 周年稳定版)/DNF飞机 07-30 B.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
07-30 B 周年稳定版)/DNF飞机 07-30 B.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
07-30 B 周年稳定版)/Theplane.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
07-30 B 周年稳定版)/Theplane.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
07-30 B 周年稳定版)/打不开飞机-点击我启动飞机.bat
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
07-30 B 周年稳定版)/打不开飞机-点击我启动飞机.bat
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
@创e下载┆9年绿色无弹窗安全.url
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
@创e下载┆9年绿色无弹窗安全.url
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
安卓手机版本下载.url
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
安卓手机版本下载.url
Resource
win10v2004-20221111-en
General
-
Target
07-30 B 周年稳定版)/打不开飞机-点击我启动飞机.bat
-
Size
6KB
-
MD5
f29563cfcfec1de3fe022b6dcf417abe
-
SHA1
a1ccda74ca6a010aedf20b827031ec433c2a0af3
-
SHA256
6c3fcc35e321e5accb37bb9bf52cc02eaf99dea6658c1f27efd77091fff60eff
-
SHA512
c86b468a15922a9a99e8a534b18dc474b702de98309750f351016115753d48bb8588b1f9810436d4f3b9fdcbbe68e2c32b08189924511fcf25599ed0ff6a934e
-
SSDEEP
24:9QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQj:XePJ1O32B8PNn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4680 Theplane.exe 5116 Theplane.exe -
resource yara_rule behavioral6/memory/5116-141-0x0000000000C50000-0x0000000000CC2000-memory.dmp upx behavioral6/memory/5116-142-0x0000000000C50000-0x0000000000CC2000-memory.dmp upx behavioral6/memory/5116-143-0x0000000000C50000-0x0000000000CC2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
pid Process 3828 taskkill.exe 4628 taskkill.exe 1132 taskkill.exe 2632 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 1132 taskkill.exe Token: SeDebugPrivilege 2632 taskkill.exe Token: SeDebugPrivilege 3828 taskkill.exe Token: SeDebugPrivilege 4628 taskkill.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe Token: 33 5116 Theplane.exe Token: SeIncBasePriorityPrivilege 5116 Theplane.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe 5116 Theplane.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4812 wrote to memory of 1132 4812 cmd.exe 86 PID 4812 wrote to memory of 1132 4812 cmd.exe 86 PID 4812 wrote to memory of 4680 4812 cmd.exe 87 PID 4812 wrote to memory of 4680 4812 cmd.exe 87 PID 4812 wrote to memory of 4680 4812 cmd.exe 87 PID 4812 wrote to memory of 2632 4812 cmd.exe 88 PID 4812 wrote to memory of 2632 4812 cmd.exe 88 PID 4812 wrote to memory of 3828 4812 cmd.exe 89 PID 4812 wrote to memory of 3828 4812 cmd.exe 89 PID 4812 wrote to memory of 4628 4812 cmd.exe 90 PID 4812 wrote to memory of 4628 4812 cmd.exe 90 PID 4812 wrote to memory of 5116 4812 cmd.exe 91 PID 4812 wrote to memory of 5116 4812 cmd.exe 91 PID 4812 wrote to memory of 5116 4812 cmd.exe 91
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\打不开飞机-点击我启动飞机.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\taskkill.exetaskkill /f /t /im Theplane.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exeTheplane.exe2⤵
- Executes dropped EXE
PID:4680
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Theplane.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im Theplane.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im conime.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exeTheplane.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dnffeiji.com/dc.html3⤵PID:4524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD595b087f5151b5435fc9f17b944e7c452
SHA15577bfba78ea7e59d5945dcab7d55d3d3229e5d8
SHA25696cb5bede9a55c7f94617809cfbfc11f242b8583c67191f38fb756cf3c05387b
SHA5124e5082d9721ede9c268f35d3ef9d09a10328a8adcabebbe66fb5e2832180cab7c1617b758004c17f8f0732573396dbad440e22f4fbde495a744c83f91a74865e
-
Filesize
2.3MB
MD595b087f5151b5435fc9f17b944e7c452
SHA15577bfba78ea7e59d5945dcab7d55d3d3229e5d8
SHA25696cb5bede9a55c7f94617809cfbfc11f242b8583c67191f38fb756cf3c05387b
SHA5124e5082d9721ede9c268f35d3ef9d09a10328a8adcabebbe66fb5e2832180cab7c1617b758004c17f8f0732573396dbad440e22f4fbde495a744c83f91a74865e
-
Filesize
2.3MB
MD50b8397d39605face65f44790dc335e48
SHA137b6134664bafd0af06b5814a6c3dbd58ae95aad
SHA2568e329415a2afc132160257df3c457624f407712fbcac236a1f2e2684f69dd6dc
SHA5129ec399d13dc2e61771dc75af70c52a80f6d575d9af5fe16ed7880f3df98127e464087ad165893015b1e8a7e8b61f12b764c20cde254f0d1301dac94b012952fe