Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
337s -
max time network
401s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
最新西西游戏外挂网.url
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
最新西西游戏外挂网.url
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
ľͷˡ10.5A .exe
Resource
win7-20220812-en
General
-
Target
ľͷˡ10.5A .exe
-
Size
3.1MB
-
MD5
6888bf89383dc531b5f48565473ff282
-
SHA1
8a5637aaabdf6cf33f01497a8a30f6df1d3c8423
-
SHA256
28277d5645f1d59fda3b93f301ccadb051a4de4263ae3e26f7b7347ca4ec0816
-
SHA512
44c6744af094eb9aaf0e1778069e8b591880fb57ae3d5140db52273523e43f43c07249afd9b7ab3f64d7d8f2f952b8d7ce5123c9d46ebcec3d1c1bbe64c8be84
-
SSDEEP
49152:FZzgXr4iTZaqdwk0c05HGimCJLMBXVr05fc0rw:vcr4iYqdwkLcHHpYnRl
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral4/files/0x000c000000022de3-132.dat acprotect -
Blocks application from running via registry modification 6 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "yylauncher.exe" ľͷˡ10.5A .exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "YY.exe" ľͷˡ10.5A .exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "e_patcher.exe" ľͷˡ10.5A .exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "e.exe" ľͷˡ10.5A .exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" ľͷˡ10.5A .exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun ľͷˡ10.5A .exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts2 ľͷˡ10.5A .exe -
resource yara_rule behavioral4/files/0x000c000000022de3-132.dat upx behavioral4/memory/4628-133-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation ľͷˡ10.5A .exe -
Loads dropped DLL 1 IoCs
pid Process 4628 ľͷˡ10.5A .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4628 ľͷˡ10.5A .exe 4628 ľͷˡ10.5A .exe 4628 ľͷˡ10.5A .exe 4628 ľͷˡ10.5A .exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4628 ľͷˡ10.5A .exe 4628 ľͷˡ10.5A .exe 4628 ľͷˡ10.5A .exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4628 wrote to memory of 2412 4628 ľͷˡ10.5A .exe 83 PID 4628 wrote to memory of 2412 4628 ľͷˡ10.5A .exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ľͷˡ10.5A .exe"C:\Users\Admin\AppData\Local\Temp\ľͷˡ10.5A .exe"1⤵
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" www.x5mtr.com2⤵
- Modifies Internet Explorer settings
PID:2412
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d