Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

b4e56152f8...56.exe

windows7-x64

8

b4e56152f8...56.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 23:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe

  • Size

    104KB

  • MD5

    2c46e758200bdae00d795f06f8f0234a

  • SHA1

    c050af649f70f7284c0da7101abbf77e62032a94

  • SHA256

    b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056

  • SHA512

    121a28a34e77f094f0c978cc2085ca9c882e68400f5e63562d850ade62e5eb0d66fa8953562262b08b3226cb3bc5e7cfd94fe4cc2f864dd40f29c621b4f27fa6

  • SSDEEP

    1536:T/eA8BQWrI0Scqy/IVjiZUPyE5nMqmRTCkc9x+HejfAclG25DmQT:rchsXpy/iWZ85nIRekciwfDmQT

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 60 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • \??\c:\Program Files114S2I.exe
      "c:\Program Files114S2I.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1936
    • C:\Windows\SysWOW64\WScript.Exe
      WScript.Exe jies.bak.vbs
      2⤵
      • Deletes itself
      PID:1668

Network

  • flag-unknown
    DNS
    dl.kanlink.cn
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    dl.kanlink.cn
    IN A
    Response
  • 204.79.197.200:443
    ieonline.microsoft.com
    iexplore.exe
    152 B
     3
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    739 B
     7.6kB
     8
    11
  • 8.8.8.8:53
    dl.kanlink.cn
    dns
    IEXPLORE.EXE
    59 B
     112 B
     1
    1

    DNS Request

    dl.kanlink.cn

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files114S2I.exe
    Filesize

    10KB

    MD5

    409a6e08d8d73dd171baa5a76d73a83d

    SHA1

    f1daa273f03066081d5d0102d306afa82f2b58ad

    SHA256

    a7ef14542196e90cc7bc7e71b74fb1bf3ddf6bae0a3b65f0e0e2fda19668c4e1

    SHA512

    9a5e2d66383c320a26c84cd108c546e9bb5936fe373e036a4c983fb09680fac11f98f811fe2d8f053036bc719037e8057a06fdacabbaec1219faf682b30963e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs
    Filesize

    486B

    MD5

    e54d1c02c487a883fc9825d3fd8f86d1

    SHA1

    403e8640d815494766e4fb71a447a330aa10c54b

    SHA256

    e5f16a7d0aa26df9c87925c43fbfe051f821d6a0a86efa27ba6b25f662579313

    SHA512

    1873b1e510b6ab557e177b5bc29832286af118fe0b0994a1cc3ab3a275cd6dc1ca77f32772d252a9d58e6573e81b9d8da1c0a045d3fc2c3eb7f9412dfdb7e1bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U0KMTIPQ.txt
    Filesize

    601B

    MD5

    78df768f9c0be0da1c710550a370ab8f

    SHA1

    9db52d5866d6acd0de385b780738f3ac25d2fe5d

    SHA256

    d5eab7ed7fb56fdfef2761de7e49da65acdea49c229c7f47bfb584116f6dae48

    SHA512

    992681b66e0f4d37b36e0fc6d32fd2a7710d58f3cf2d671d3c3080167d8e95522185bfd8c24219b4162d624f007faf1025cf40fcd8d86a9e44ed9bceaaf7739c

    Download Submit

  • memory/1164-56-0x0000000075C61000-0x0000000075C63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1164-61-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-62-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-64-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-68-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1652-63-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1652-65-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.