Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3Dump/dump1.exe
windows7-x64
3Dump/dump1.exe
windows10-2004-x64
3Original/9...6f.exe
windows7-x64
7Original/9...6f.exe
windows10-2004-x64
7Original/D...12.scr
windows7-x64
7Original/D...12.scr
windows10-2004-x64
7Original/b...12.exe
windows7-x64
7Original/b...12.exe
windows10-2004-x64
7Original/chqpl.exe
windows7-x64
7Original/chqpl.exe
windows10-2004-x64
7Original/d...4a.exe
windows7-x64
7Original/d...4a.exe
windows10-2004-x64
7Original/f...14.exe
windows7-x64
7Original/f...14.exe
windows10-2004-x64
7Original/l...25.exe
windows7-x64
7Original/l...25.exe
windows10-2004-x64
3Original/p...b9.dll
windows7-x64
8Original/p...b9.dll
windows10-2004-x64
8Unpacked/D...ed.exe
windows7-x64
7Unpacked/D...ed.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
13/07/2023, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
Dump/dump1.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
Dump/dump1.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Original/999bc5e16312db6abff5f6c9e54c546f.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral4
Sample
Original/999bc5e16312db6abff5f6c9e54c546f.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Original/Document-772976_829712.scr
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral6
Sample
Original/Document-772976_829712.scr
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Original/b44634d90a9ff2ed8a9d0304c11bf612.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral8
Sample
Original/b44634d90a9ff2ed8a9d0304c11bf612.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Original/chqpl.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral10
Sample
Original/chqpl.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Original/dd207384b31d118745ebc83203a4b04a.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral12
Sample
Original/dd207384b31d118745ebc83203a4b04a.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Original/fax_390392029_072514.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral14
Sample
Original/fax_390392029_072514.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Original/loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral16
Sample
Original/loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Original/payload_f8eccfebda8a1e0caabbe23a8b94d7ced980353a9b3673a4173e24958a3bdbb9.dll
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral18
Sample
Original/payload_f8eccfebda8a1e0caabbe23a8b94d7ced980353a9b3673a4173e24958a3bdbb9.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Unpacked/Dyre_Unpacked.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral20
Sample
Unpacked/Dyre_Unpacked.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
Original/loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe
-
Size
313KB
-
MD5
2f08d1f1b1968be7f9669e2ff94dea76
-
SHA1
168befbd8691891fc9a983da90a80bff0aa79cb1
-
SHA256
9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25
-
SHA512
3dc06215caeff44944f577a5040a7f5ea89c16988021dd34dd914c110cd82052b4e4e8a1190568ed1bda89887bc4b132ac965818406b652c91a30acfc3b0ec5a
-
SSDEEP
6144:ixxjPBn35E+ZXJtWc/yx1kk5NiIm4ALtvhwhz1m9r8:iTrZpEePWQyx5fiIm4otZm
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2292 PExbsodKQJbcNlY.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 PExbsodKQJbcNlY.exe 2292 PExbsodKQJbcNlY.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 icanhazip.com -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2758H5M.txt Process not Found File created C:\Windows\system32\config\systemprofile\AppData\Local\nw9vbe8cb5.dll Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\nw9vbe8cb5.dll Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Process not Found File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\P3Q0PAMD.txt Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\P3Q0PAMD.txt Process not Found -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2336 set thread context of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2548 set thread context of 2292 2548 PExbsodKQJbcNlY.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\PExbsodKQJbcNlY.exe loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-33-77-af-f0-c9 Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-33-77-af-f0-c9\WpadDecisionReason = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6} Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6}\WpadDecisionReason = "1" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6}\WpadNetworkName = "Network 2" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6}\WpadDecision = "0" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-33-77-af-f0-c9\WpadDecision = "0" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6}\WpadDecisionTime = a04f6faddfb5d901 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9256226-FFA7-4BA2-AEB0-017BFEA9A0F6}\b6-33-77-af-f0-c9 Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-33-77-af-f0-c9\WpadDecisionTime = a04f6faddfb5d901 Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 2292 PExbsodKQJbcNlY.exe 2292 PExbsodKQJbcNlY.exe 2292 PExbsodKQJbcNlY.exe 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found 600 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2292 PExbsodKQJbcNlY.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe Token: SeDebugPrivilege 2292 PExbsodKQJbcNlY.exe Token: SeDebugPrivilege 600 Process not Found -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2336 wrote to memory of 2760 2336 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 28 PID 2760 wrote to memory of 2548 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 29 PID 2760 wrote to memory of 2548 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 29 PID 2760 wrote to memory of 2548 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 29 PID 2760 wrote to memory of 2548 2760 loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe 29 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 2548 wrote to memory of 2292 2548 PExbsodKQJbcNlY.exe 30 PID 600 wrote to memory of 2904 600 Process not Found 32 PID 600 wrote to memory of 2904 600 Process not Found 32 PID 600 wrote to memory of 2904 600 Process not Found 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe"C:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe"C:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\PExbsodKQJbcNlY.exeC:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\PExbsodKQJbcNlY.exeC:\Users\Admin\AppData\Local\Temp\Original\loader_9b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25.exe4⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:2904
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD52f08d1f1b1968be7f9669e2ff94dea76
SHA1168befbd8691891fc9a983da90a80bff0aa79cb1
SHA2569b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25
SHA5123dc06215caeff44944f577a5040a7f5ea89c16988021dd34dd914c110cd82052b4e4e8a1190568ed1bda89887bc4b132ac965818406b652c91a30acfc3b0ec5a
-
Filesize
313KB
MD52f08d1f1b1968be7f9669e2ff94dea76
SHA1168befbd8691891fc9a983da90a80bff0aa79cb1
SHA2569b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25
SHA5123dc06215caeff44944f577a5040a7f5ea89c16988021dd34dd914c110cd82052b4e4e8a1190568ed1bda89887bc4b132ac965818406b652c91a30acfc3b0ec5a
-
Filesize
313KB
MD52f08d1f1b1968be7f9669e2ff94dea76
SHA1168befbd8691891fc9a983da90a80bff0aa79cb1
SHA2569b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25
SHA5123dc06215caeff44944f577a5040a7f5ea89c16988021dd34dd914c110cd82052b4e4e8a1190568ed1bda89887bc4b132ac965818406b652c91a30acfc3b0ec5a
-
Filesize
313KB
MD52f08d1f1b1968be7f9669e2ff94dea76
SHA1168befbd8691891fc9a983da90a80bff0aa79cb1
SHA2569b313e9c79921b22b488a11344b280d4cec9dd09c2201f9e5aaf08a115650b25
SHA5123dc06215caeff44944f577a5040a7f5ea89c16988021dd34dd914c110cd82052b4e4e8a1190568ed1bda89887bc4b132ac965818406b652c91a30acfc3b0ec5a