Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

f9230ed6f5...bd.exe

windows7-x64

8

f9230ed6f5...bd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    160s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9230ed6f56e9698eaed425dab6a1252cd56e4cc769bea88eb627fa5d5b223bd.exe

  • Size

    1.5MB

  • MD5

    cb2e44fceaa9a4e6daa43c7f3a35b1af

  • SHA1

    b6b293334d0a40128c731fb9d8ec2137657ab6e5

  • SHA256

    f9230ed6f56e9698eaed425dab6a1252cd56e4cc769bea88eb627fa5d5b223bd

  • SHA512

    4724029b8c6459f6495800dcbc9459410d3cae5f855ca7cab70acdb7b86462016c58e1420dd84f995e18f2882dfa9441db05c183462a68e0636bd59100d6dbdb

  • SSDEEP

    24576:caeMqk4eF59tKhCvF7dnjgjxpP19f83OXXWYnR8ivQltND2NkSkIkyjL:caAHesCvFWlc3OWYRElKNk5IkyjL

Score
8/10
aspackv2persistence

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9230ed6f56e9698eaed425dab6a1252cd56e4cc769bea88eb627fa5d5b223bd.exe
    "C:\Users\Admin\AppData\Local\Temp\f9230ed6f56e9698eaed425dab6a1252cd56e4cc769bea88eb627fa5d5b223bd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4652 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1624
        3⤵
        • Program crash
        PID:4584
    • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½ßäßä͸ÊÓ¼ÒÍ¥Íø°ÉͨÓðæ0126Sp1.exe
      "C:\Users\Admin\AppData\Local\Temp\ÄæÕ½ßäßä͸ÊÓ¼ÒÍ¥Íø°ÉͨÓðæ0126Sp1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 728
        3⤵
        • Program crash
        PID:1224
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4348 -ip 4348
    1⤵
      PID:448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 636 -ip 636
      1⤵
        PID:3324

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2071.exe
        Filesize

        114KB

        MD5

        6a3403a72b8efaecf87009a0cdf709c7

        SHA1

        4db26c3d0ef07c6107278b7583365fe47da6c03f

        SHA256

        3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

        SHA512

        4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2071.exe
        Filesize

        114KB

        MD5

        6a3403a72b8efaecf87009a0cdf709c7

        SHA1

        4db26c3d0ef07c6107278b7583365fe47da6c03f

        SHA256

        3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

        SHA512

        4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½ßäßä͸ÊÓ¼ÒÍ¥Íø°ÉͨÓðæ0126Sp1.exe
        Filesize

        1.7MB

        MD5

        08e308a1c4176d11a2d88f1bc94332a0

        SHA1

        7b7c6bd39ad1aae8deb4e322abc476a4715bd9f7

        SHA256

        931270280aa42b9d7284b1be6019194e11ae8d972b373b4bd751cb253c9fcb5e

        SHA512

        ebadcc322351e24bf725826ac9dfbdaf21454bfe1c2642195f822da28958143cbdab1ee4676eee7a1767fc14995f031c54c1253f27b2a186287a08942f990966

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½ßäßä͸ÊÓ¼ÒÍ¥Íø°ÉͨÓðæ0126Sp1.exe
        Filesize

        1.7MB

        MD5

        08e308a1c4176d11a2d88f1bc94332a0

        SHA1

        7b7c6bd39ad1aae8deb4e322abc476a4715bd9f7

        SHA256

        931270280aa42b9d7284b1be6019194e11ae8d972b373b4bd751cb253c9fcb5e

        SHA512

        ebadcc322351e24bf725826ac9dfbdaf21454bfe1c2642195f822da28958143cbdab1ee4676eee7a1767fc14995f031c54c1253f27b2a186287a08942f990966

        Download Submit

      • C:\Windows\SysWOW64\intel.dll
        Filesize

        142KB

        MD5

        5b6ae60afa76e99a591556ba5bdc0acb

        SHA1

        e3f12b7fe4337a55c9e859a5ceec95f749cf457b

        SHA256

        7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

        SHA512

        4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

        Download Submit

      • memory/636-147-0x00000000761F0000-0x0000000076390000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/636-1501-0x00000000024E0000-0x00000000025E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/636-1505-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1504-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-142-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1502-0x00000000024E0000-0x00000000025E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/636-144-0x0000000077340000-0x00000000774E3000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/636-145-0x0000000075FD0000-0x00000000761E5000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/636-1499-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-148-0x0000000077120000-0x000000007719A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/636-1500-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1493-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1494-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1495-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1496-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/636-1498-0x0000000000400000-0x000000000064B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4348-138-0x0000000000660000-0x00000000006A6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4348-1503-0x0000000000660000-0x00000000006A6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4348-136-0x0000000000660000-0x00000000006A6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4348-137-0x0000000000660000-0x00000000006A6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4772-132-0x0000000000400000-0x00000000005810DE-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4772-143-0x0000000000400000-0x00000000005810DE-memory.dmp

        Filesize

        1.5MB

        Download