Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2023, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
Resource
win7-20230712-en
General
-
Target
230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
-
Size
11.7MB
-
MD5
fd9e7ea6f74e21c9e6cf676dd9160770
-
SHA1
615377808bcb6679f1f71b024986e881cbf0cf1a
-
SHA256
230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0
-
SHA512
d8a2eaf89e2ff13c5c19afaa94ce29c825ab9d4faf25a633720326b9ae107d4615f659f94cf8f5b13994aa784e0eb73ef3f9eb9cacfa51024b5cddae3a237421
-
SSDEEP
196608:MqnkQ4DCXjHvNLwHsHxHt3k+B8DM5N8I6cu8U+Ii9XUH2/5alJKN8sdDLsAY9zc2:RtpL2sRN3GDsN8IRu0ZUWI9sdLsT9
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0006000000022fec-82.dat aspack_v212_v242 behavioral2/files/0x0006000000022fec-83.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 4684 4pkUWZ5a6VZW98o.exe 4260 王者荣耀-品牌.exe -
resource yara_rule behavioral2/memory/4260-87-0x0000000002530000-0x0000000002889000-memory.dmp vmprotect behavioral2/memory/4260-90-0x0000000002530000-0x0000000002889000-memory.dmp vmprotect behavioral2/memory/4260-96-0x0000000002530000-0x0000000002889000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4260 王者荣耀-品牌.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 4260 王者荣耀-品牌.exe 4260 王者荣耀-品牌.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4684 4pkUWZ5a6VZW98o.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4684 4pkUWZ5a6VZW98o.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3712 wrote to memory of 4684 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 85 PID 3712 wrote to memory of 4684 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 85 PID 3712 wrote to memory of 4684 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 85 PID 3712 wrote to memory of 4260 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 87 PID 3712 wrote to memory of 4260 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 87 PID 3712 wrote to memory of 4260 3712 230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe"C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe" "C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe"C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439B
MD541407233c8233dd556927cde31145e38
SHA1893e76901234b5683a0f7eb028dbe652aa9d65c2
SHA25695146a5fd6aabc6d591805592790bf1dedae2c35d25ab42337ecc02ecab7e60c
SHA512ec0ead6eba4e40b968a72110b9d0b262daeed1d9ecd171b861286995041676dcffc5c9ced5e1742dc70af1209979f6721ff917c16751dea01357cbce2bad5827
-
Filesize
4KB
MD52c603352540bf31bc028a491ed5ac63a
SHA12723016e9bb8c0557da40c0900bd2eb3241c0cba
SHA25666ddb1fe8a6c44f1bd9819c0da121f3286055d039c9815cbc3351bb8a48fbf25
SHA512834a42948caab20e7d4640e867e13f4d4f7c88905ff4d03ce35f127e4fd4e4196b69d9df4a7561d03f7989afbbe05cd895be78e67f8e0ccedaf5ada47f8b1455
-
Filesize
5.2MB
MD5ffc9503cf5d4a6e5c513aff68a9adf6f
SHA1ef78068718d75d231e3b1a3cf24d441aac39bd92
SHA256f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1
SHA51267f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0
-
Filesize
5.2MB
MD5ffc9503cf5d4a6e5c513aff68a9adf6f
SHA1ef78068718d75d231e3b1a3cf24d441aac39bd92
SHA256f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1
SHA51267f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0
-
Filesize
2.2MB
MD5a102d21244a3bf2c643c86ab29b05c28
SHA1dee2ab47f19ddd9090a5550f635981ad3878e70f
SHA256ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032
SHA512404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d
-
Filesize
2.2MB
MD5a102d21244a3bf2c643c86ab29b05c28
SHA1dee2ab47f19ddd9090a5550f635981ad3878e70f
SHA256ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032
SHA512404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d