Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

WeChatBackup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1007s
  • max time network
    1010s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2023, 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WeChatBackup.exe

  • Size

    4.6MB

  • MD5

    f81556b4227fcbbec8dc7bf92c829c51

  • SHA1

    8b3101ea19f929b5e9d90efc0c7693962fa33fa3

  • SHA256

    35c91f63fa6179ffcd6def655a2fc07e38ac7145a355c2077fac1b3c19ff6a87

  • SHA512

    ba18ddb9ada8e39e37411c28824dc2b4f253224cb63517f5092edc0208e43fdaa82a867d6b24a6b71a4b0c374aebdf17a9920f6cc20b92028b1cda0730a09701

  • SSDEEP

    98304:gFZocjOYCIossQIyn2mz/AqrKHUzJbE6UE4LqCk1n+hAcTOGa672e97OLG:5cjOY9os7rz4qrKHUzJblg21nkAzGaaN

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WeChatBackup.exe
    "C:\Users\Admin\AppData\Local\Temp\WeChatBackup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SYSTEM32\netsh.exe
        "netsh" advfirewall set publicprofile state on
        3⤵
        • Modifies Windows Firewall
        PID:2216
      • C:\Windows\SYSTEM32\netsh.exe
        "netsh" advfirewall set privateprofile state on
        3⤵
        • Modifies Windows Firewall
        PID:2812
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll
      Filesize

      693KB

      MD5

      8a1f06f3f45464074671ba3aafba9f55

      SHA1

      00bfa8339b930ae75d8a06613c863ca2b0562e60

      SHA256

      f3ffd3f5da520b4162fea7e0d7e2cbc45b15c403735396593dd1a0624288583c

      SHA512

      3e2370b54b88b254dc9d2860dc3314b923e369ad259dc63d19b256c7606b0951c503497930ee96eb836b89273b04700409e45d53f3b567dfb9ae162fe9138ad0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe
      Filesize

      7.5MB

      MD5

      f9ee05e4dc9e90824153af14dc91df2f

      SHA1

      f68018eccc58f1f6d31a6a524c57ee1c1993b36f

      SHA256

      91515fe467f247063e84ffc1d993e37482eb2779108c30fc87c382fedcea47b4

      SHA512

      a96ad6a2ac9dca1219b7fef504242344e4f3e7297086a493d73a950dd29dc0530c6dbbfef32717524642b41733f22b4f3cc282cd3df919414fe77c09ef6304f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe
      Filesize

      7.5MB

      MD5

      f9ee05e4dc9e90824153af14dc91df2f

      SHA1

      f68018eccc58f1f6d31a6a524c57ee1c1993b36f

      SHA256

      91515fe467f247063e84ffc1d993e37482eb2779108c30fc87c382fedcea47b4

      SHA512

      a96ad6a2ac9dca1219b7fef504242344e4f3e7297086a493d73a950dd29dc0530c6dbbfef32717524642b41733f22b4f3cc282cd3df919414fe77c09ef6304f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe
      Filesize

      7.5MB

      MD5

      f9ee05e4dc9e90824153af14dc91df2f

      SHA1

      f68018eccc58f1f6d31a6a524c57ee1c1993b36f

      SHA256

      91515fe467f247063e84ffc1d993e37482eb2779108c30fc87c382fedcea47b4

      SHA512

      a96ad6a2ac9dca1219b7fef504242344e4f3e7297086a493d73a950dd29dc0530c6dbbfef32717524642b41733f22b4f3cc282cd3df919414fe77c09ef6304f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeChatBackup.exe.config
      Filesize

      189B

      MD5

      9dbad5517b46f41dbb0d8780b20ab87e

      SHA1

      ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

      SHA256

      47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

      SHA512

      43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

      Download Submit

    • memory/2904-200-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-208-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-201-0x000001A4437C0000-0x000001A4437C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2904-202-0x000001A4461B0000-0x000001A4461E8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2904-203-0x000001A4437E0000-0x000001A4437EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2904-204-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-205-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-206-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-207-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-199-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-209-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-210-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-211-0x000001A4437F0000-0x000001A443800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2904-198-0x000001A426FD0000-0x000001A427754000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2904-213-0x000001A4471D0000-0x000001A447282000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-214-0x000001A447180000-0x000001A4471A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2904-219-0x000001A4467E0000-0x000001A4467EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2904-220-0x000001A446880000-0x000001A4468A6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2904-221-0x000001A446860000-0x000001A446868000-memory.dmp

      Filesize

      32KB

      Download