Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

plugx/4094...ba.exe

windows7-x64

7

plugx/4094...ba.exe

windows10-2004-x64

7

plugx/5a94...11.exe

windows7-x64

1

plugx/5a94...11.exe

windows10-2004-x64

1

plugx/8df2...43.exe

windows7-x64

10

plugx/8df2...43.exe

windows10-2004-x64

10

plugx/9aff...0d.exe

windows7-x64

1

plugx/9aff...0d.exe

windows10-2004-x64

1

plugx/a2a0...5d.exe

windows7-x64

1

plugx/a2a0...5d.exe

windows10-2004-x64

1

plugx/a8e2...a3.exe

windows7-x64

10

plugx/a8e2...a3.exe

windows10-2004-x64

10

plugx/ac75...f2.exe

windows7-x64

7

plugx/ac75...f2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/04/2023, 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plugx/4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba.exe

  • Size

    665KB

  • MD5

    6741ad202dcef693dceb98b0a10c49fc

  • SHA1

    b1e8ba2c12908c338a1b38c61cc7dab17015bd01

  • SHA256

    4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba

  • SHA512

    1a6f82a5ea41d72b1493ab5cf358249b8018e4cdebe15d6a2f63e202a092779a5f40647bac0b0f9d8556383160b82add9a6205a84aaf43eeb30922761a034f49

  • SSDEEP

    12288:n1IIZygwpE/1UZyMYUkUJIh8E2tFNgw/nK6iUDbD/W/TQ2Y6s/z:nuIIgN1UZp/Ja52tEKnK6pfKLQ2Y6s7

Score
7/10
aspackv2

Malware Config

Signatures

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\plugx\4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba.exe
    "C:\Users\Admin\AppData\Local\Temp\plugx\4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\maze-game.exe
      "C:\Users\Admin\AppData\Local\Temp\maze-game.exe"
      2⤵
      • Executes dropped EXE
      PID:1464
    • C:\Users\Admin\AppData\Local\Temp\mazegame.exe
      "C:\Users\Admin\AppData\Local\Temp\mazegame.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\ProgramData\Microsoft PA\SxS.exe
        "C:\ProgramData\Microsoft PA\SxS.exe" 100 1868
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4832
    • C:\Users\Admin\AppData\Local\Temp\ctfmno.exe
      "C:\Users\Admin\AppData\Local\Temp\ctfmno.exe"
      2⤵
      • Executes dropped EXE
      PID:2092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 228
        3⤵
        • Program crash
        PID:5104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2092 -ip 2092
    1⤵
      PID:4936
    • C:\ProgramData\Microsoft PA\SxS.exe
      "C:\ProgramData\Microsoft PA\SxS.exe" 200 0
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe 201 0
        2⤵
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3680
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\system32\msiexec.exe 300 3680
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3292

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft PA\SxS.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • C:\ProgramData\Microsoft PA\SxS.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • C:\ProgramData\Microsoft PA\SxS.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmno.exe
      Filesize

      9KB

      MD5

      6d5522331c533a6634d975f25f915530

      SHA1

      baaefe3b88830bca380721dfa3e57967788f3423

      SHA256

      6595dbbb8d327d766cdb0228d6f4ac6a8ff1320884c54caf9ca4ee0b4845c6d8

      SHA512

      4d509c768d4d90957a04e285c31dc8f4083403d650bf0215b0af445b20a9941624bb0aaa54a999da57c56c21ef87930b2d4ab54a0c9063a0f0a7ce0f67aca7db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmno.exe
      Filesize

      9KB

      MD5

      6d5522331c533a6634d975f25f915530

      SHA1

      baaefe3b88830bca380721dfa3e57967788f3423

      SHA256

      6595dbbb8d327d766cdb0228d6f4ac6a8ff1320884c54caf9ca4ee0b4845c6d8

      SHA512

      4d509c768d4d90957a04e285c31dc8f4083403d650bf0215b0af445b20a9941624bb0aaa54a999da57c56c21ef87930b2d4ab54a0c9063a0f0a7ce0f67aca7db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmno.exe
      Filesize

      9KB

      MD5

      6d5522331c533a6634d975f25f915530

      SHA1

      baaefe3b88830bca380721dfa3e57967788f3423

      SHA256

      6595dbbb8d327d766cdb0228d6f4ac6a8ff1320884c54caf9ca4ee0b4845c6d8

      SHA512

      4d509c768d4d90957a04e285c31dc8f4083403d650bf0215b0af445b20a9941624bb0aaa54a999da57c56c21ef87930b2d4ab54a0c9063a0f0a7ce0f67aca7db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\maze-game.exe
      Filesize

      458KB

      MD5

      469d266169ab4c2604c712c472b75bd7

      SHA1

      55f62b009ea046f5116a900b716eb3e432b3bf3d

      SHA256

      038f458a2389182590abfc557e02f423533a564e110f9fc72af6a47d1d162fd7

      SHA512

      2560d2a1cdacc6554a1202057c3d9bad5aee3d1cdfc1b254ec5160e81189cb4a22031d0b54704dd5abbe1323c0e4468e78196f093bae55c40aa38b03b011b898

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\maze-game.exe
      Filesize

      458KB

      MD5

      469d266169ab4c2604c712c472b75bd7

      SHA1

      55f62b009ea046f5116a900b716eb3e432b3bf3d

      SHA256

      038f458a2389182590abfc557e02f423533a564e110f9fc72af6a47d1d162fd7

      SHA512

      2560d2a1cdacc6554a1202057c3d9bad5aee3d1cdfc1b254ec5160e81189cb4a22031d0b54704dd5abbe1323c0e4468e78196f093bae55c40aa38b03b011b898

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\maze-game.exe
      Filesize

      458KB

      MD5

      469d266169ab4c2604c712c472b75bd7

      SHA1

      55f62b009ea046f5116a900b716eb3e432b3bf3d

      SHA256

      038f458a2389182590abfc557e02f423533a564e110f9fc72af6a47d1d162fd7

      SHA512

      2560d2a1cdacc6554a1202057c3d9bad5aee3d1cdfc1b254ec5160e81189cb4a22031d0b54704dd5abbe1323c0e4468e78196f093bae55c40aa38b03b011b898

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mazegame.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mazegame.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mazegame.exe
      Filesize

      146KB

      MD5

      b9932e02979acc7f4052362925484223

      SHA1

      483920d4c81f3383a01e76ca8c21f8eaed728d03

      SHA256

      8769beb0878f1a283749477d74aa817c33b00f01eb7f5b5ca2024753a8222ab5

      SHA512

      6a0776de45e58bc685b998cd4e769b4a4f2d95b84ee5a5b42e7f502e36b14dff0231dfe797a81c5e1d292d2b7217c1823214c2b3799cb288c3c744bc1834f488

      Download Submit

    • memory/1464-181-0x0000000000400000-0x0000000000599000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1464-206-0x0000000000400000-0x0000000000599000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1868-185-0x0000000002620000-0x000000000264E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1868-182-0x00000000025B0000-0x00000000025CB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1868-174-0x0000000002620000-0x000000000264E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2092-183-0x0000000000400000-0x00000000004090B0-memory.dmp

      Filesize

      36KB

      Download

    • memory/3292-205-0x0000000002750000-0x000000000277E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3292-204-0x00000000008D0000-0x00000000008D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3292-203-0x0000000002750000-0x000000000277E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-201-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-200-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-192-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-190-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-189-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-193-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-195-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-197-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-198-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-196-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-199-0x00000000010D0000-0x00000000010D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3680-223-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-217-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-211-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-210-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3680-207-0x00000000016D0000-0x00000000016FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4416-186-0x0000000000F40000-0x0000000000F6E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4416-188-0x0000000000F40000-0x0000000000F6E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4416-191-0x0000000000F40000-0x0000000000F6E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4708-173-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4832-180-0x0000000002320000-0x000000000234E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4832-187-0x0000000002320000-0x000000000234E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4832-202-0x0000000002320000-0x000000000234E000-memory.dmp

      Filesize

      184KB

      Download