Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

Everything...up.exe

windows7-x64

4

Everything...up.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2023, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Everything-1.4.1.1024.x64-Setup.exe

  • Size

    1.8MB

  • MD5

    5036e609163e98f3ac06d5e82b677df8

  • SHA1

    176db10a4cda7104f24eece2d87e1a664b7fb929

  • SHA256

    b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

  • SHA512

    40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

  • SSDEEP

    49152:W45XjhjuyXlt4+3oNBGsCornEsYwmve86irCrHEOP:W45XtjLVt4tJ/pmNHerv

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Everything.exe
      "C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Program Files\Everything\Everything.exe
        "C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Modifies registry class
        PID:2684
    • C:\Program Files\Everything\Everything.exe
      "C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
      2⤵
      • Executes dropped EXE
      PID:4160
    • C:\Program Files\Everything\Everything.exe
      "C:\Program Files\Everything\Everything.exe"
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1376
  • C:\Program Files\Everything\Everything.exe
    "C:\Program Files\Everything\Everything.exe" -svc
    1⤵
    • Executes dropped EXE
    PID:3392
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3260
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
      PID:3620
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Program Files\Everything\Everything.ini
        Filesize

        215B

        MD5

        b2b308d8c164f75bc11bccf7baf3df67

        SHA1

        6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d

        SHA256

        f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5

        SHA512

        5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

        Download Submit

      • C:\Program Files\Everything\Everything.lng
        Filesize

        912KB

        MD5

        ba118bdf7118802beea188727b155d5f

        SHA1

        20fe923ec91d13f03bdb171df2fe54772f86ebba

        SHA256

        270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

        SHA512

        01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Changes.txt
        Filesize

        18KB

        MD5

        1ebb92ac516db5077a0c851565b7a2cf

        SHA1

        9adabfbb11b070169429fd43a250285ee8881213

        SHA256

        e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6

        SHA512

        3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Everything.exe
        Filesize

        2.2MB

        MD5

        0170601e27117e9639851a969240b959

        SHA1

        7a4aee1910b84c6715c465277229740dfc73fa39

        SHA256

        35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

        SHA512

        3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Everything.lng
        Filesize

        912KB

        MD5

        ba118bdf7118802beea188727b155d5f

        SHA1

        20fe923ec91d13f03bdb171df2fe54772f86ebba

        SHA256

        270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

        SHA512

        01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\License.txt
        Filesize

        2KB

        MD5

        2d8c6b891bea32e7fa64b381cf3064c2

        SHA1

        495396d86c96fb1cfdf56cae7658149138056aa9

        SHA256

        2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b

        SHA512

        03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\Everything\Uninstall.exe
        Filesize

        136KB

        MD5

        9619f283a8809f06d9f25818df792798

        SHA1

        c959694843937043b09da5189d50553aa6c24a6e

        SHA256

        f5e05a0afc32604d961f2c1b8e500d33018718c3a1d47cbc3f4a98fe0d0e9ca8

        SHA512

        cd84eb50fc8ad582e5b60f1fed3174564ef356673f6dbc71e14a8f07baa7efa28ec434aaa9594460364a15c006fa4c56ce27d58d687dcc765fe07d5caaa3b73e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.dll
        Filesize

        15KB

        MD5

        ece25721125d55aa26cdfe019c871476

        SHA1

        b87685ae482553823bf95e73e790de48dc0c11ba

        SHA256

        c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

        SHA512

        4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.ini
        Filesize

        1KB

        MD5

        9f0388112bbecae44a702f7c1794356f

        SHA1

        e6808a15a1a88fc17a3c32148c0426a72ac86afc

        SHA256

        1b7dc4712c7c29dcb38c6d1ba7cf8b6b1af8b72abb8fb5cfece234c00fe9bdfa

        SHA512

        436b14a62a2715037f394b3e4861216af21133d74103be0809432ab289fbe4bd83a8f4b8d9c8db435604098504a4d4460361379edeefcd19d2633a7589f21375

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.ini
        Filesize

        1KB

        MD5

        2081aaf6d725858fbaa74d5da17fe277

        SHA1

        8f0c487c7ff24efb951c432914ba41844e360845

        SHA256

        5966ba0b943d3c9429b49659566833016894ee7a8b0661e11150551ec88176a9

        SHA512

        deae9bdc93949281952aca0ed06fe2d1758579ca5ed15c4e6af46ce072898b37dda0b1713e26c2ce3e95ba07ad77a6f5ca5abf3dda231114d939391368950da5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions.ini
        Filesize

        1KB

        MD5

        e2808f4be298a32ae279ee9ebacd0a0c

        SHA1

        b7929c346ba7a7aa690a766e4f70bc1d44f75460

        SHA256

        99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

        SHA512

        a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions2.ini
        Filesize

        2KB

        MD5

        6839e21fc514f7a30f31c268df8dfd71

        SHA1

        306f040e16de8c6bcda6b30711f0fe4336a96e9a

        SHA256

        18f224446c85bcb310f0bcd557734d0ccf7b315568e5e8e0371abd0b1d898e68

        SHA512

        2ee6c610a61adfb2b70655011296fb79be0deda11eba8a98ab6845369fd3f9f3edea1adda88e60146f63d713ec096bf4a2c172287b674db7fa2cdbed25dd52bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\InstallOptions2.ini
        Filesize

        2KB

        MD5

        b108837a7f56e2044d08d371f97913ec

        SHA1

        ebd78fe2f46d053b20e53889f64d469b8b9fff93

        SHA256

        d64ea51c9ed9bc1ce09227630351eac7d42e166647fcff1f4e58b2a32bfbb3ed

        SHA512

        fa1a4125ef5f026491699876f981307b5d757ff8df14c335e005dd39b952818a2ea390dea68d4956bfea4652a4437b1e9111697cf78df111b6e86d0c55e1fa37

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\LangDLL.dll
        Filesize

        5KB

        MD5

        68b287f4067ba013e34a1339afdb1ea8

        SHA1

        45ad585b3cc8e5a6af7b68f5d8269c97992130b3

        SHA256

        18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

        SHA512

        06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\System.dll
        Filesize

        12KB

        MD5

        cff85c549d536f651d4fb8387f1976f2

        SHA1

        d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

        SHA256

        8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

        SHA512

        531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\ioSpecial.ini
        Filesize

        1KB

        MD5

        0199674f66b21c7bd5a59ce3928a1028

        SHA1

        d1959fbd30a72e066fd33946eb5cd905bc5ec0e5

        SHA256

        0e5da0247f4745925e9c80df66dcf3b060352b3c50adbc3e13cd0723fa440e6d

        SHA512

        b7032e871cfbbbcae92c8bff59b2d4e3ad44698137e07e14be13c8f6d7e6636ddb1a5611723909b24fa3bbe54ea1756dab83492d0972b160019014e79aabffcc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\ioSpecial.ini
        Filesize

        1KB

        MD5

        9d8dc1f10c8e88ab6dfb00c6b428d02a

        SHA1

        b36e65c6807be093b15e62212cad725b61c48107

        SHA256

        059f3608df695ed32f48da6960ac66ba4abb80cd3c3083adb06312a6f3df1196

        SHA512

        97747ce6a919055efa08cea265b8b3f90e440435a1659605bb5a4fb74d0e5be2dc360d2eb7c60c4ff89c9edf8df7577fd62c8c233cae53ae38e8e5b378ba1de1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsq6F46.tmp\ioSpecial.ini
        Filesize

        1KB

        MD5

        6efc66683b90a40470e38718c650c028

        SHA1

        9f11af3155e9388f0e78d243b030998589e7e5e9

        SHA256

        77d2a63a4e1756268e774b14eb2ae222059927632c29c3bb2acb5448f222b532

        SHA512

        449aba2f7c3303daa4d8aa199c77a98ae50c23413145e6c1f3cf01b326dfc2dccfe416ec0983b1c75a3d71bb048ad73f77aaa248cab77a16278460035b811a16

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Everything\Everything.ini
        Filesize

        20KB

        MD5

        49b6ff446eddaf88ea08a7c16792952e

        SHA1

        c0dc334f467d867f0e1d3fabd555ebcac395fc8b

        SHA256

        2fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580

        SHA512

        77caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b

        Download Submit