Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2023, 02:16
Behavioral task
behavioral1
Sample
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
Resource
win10v2004-20230915-en
General
-
Target
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
-
Size
1.9MB
-
MD5
590b1a7d37d12106e1dbcfd063b23398
-
SHA1
789e25388a35a54fcf3f956cd582fa5c4ab3f595
-
SHA256
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322
-
SHA512
9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96
-
SSDEEP
49152:cP0K1HDEsdSiopguI125iZblH7PJdR0ebbau1m:y71HDEfHgB7PJdnw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation waike.exe -
Executes dropped EXE 2 IoCs
pid Process 4256 waike.exe 3648 v.exe -
Loads dropped DLL 1 IoCs
pid Process 3648 v.exe -
resource yara_rule behavioral2/memory/376-0-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/memory/376-3-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/files/0x0008000000023042-4.dat upx behavioral2/files/0x0008000000023042-5.dat upx behavioral2/memory/376-7-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/memory/376-8-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/memory/4256-12-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/memory/4256-13-0x0000000000400000-0x000000000085F000-memory.dmp upx behavioral2/memory/4256-32-0x0000000000400000-0x000000000085F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings 663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings waike.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 376 663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe 376 663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe 4256 waike.exe 4256 waike.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 3648 v.exe Token: 35 3648 v.exe Token: SeSecurityPrivilege 3648 v.exe Token: SeSecurityPrivilege 3648 v.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 376 663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe 376 663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe 4256 waike.exe 4256 waike.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4256 wrote to memory of 3576 4256 waike.exe 92 PID 4256 wrote to memory of 3576 4256 waike.exe 92 PID 4256 wrote to memory of 3576 4256 waike.exe 92 PID 4256 wrote to memory of 3648 4256 waike.exe 96 PID 4256 wrote to memory of 3648 4256 waike.exe 96 PID 4256 wrote to memory of 3648 4256 waike.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe"C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4976
-
C:\mina\waike.exe"C:\mina\waike.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat2⤵PID:3576
-
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18B
MD511bc70016f1fde86d2cdce0846a5076f
SHA1d01eb4d8423b89b743643b80b1fb8e649cbad4e5
SHA25694568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c
SHA512e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1
-
Filesize
1.2MB
MD5a65e53c974a4e61728ecb632339a0978
SHA127e6ec4f8e34b40f1e08503245700c182b918ce9
SHA256ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a
SHA512b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e
-
Filesize
1.2MB
MD5a65e53c974a4e61728ecb632339a0978
SHA127e6ec4f8e34b40f1e08503245700c182b918ce9
SHA256ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a
SHA512b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e
-
Filesize
18B
MD511bc70016f1fde86d2cdce0846a5076f
SHA1d01eb4d8423b89b743643b80b1fb8e649cbad4e5
SHA25694568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c
SHA512e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1
-
Filesize
329KB
MD562d2156e3ca8387964f7aa13dd1ccd5b
SHA1a5067e046ed9ea5512c94d1d17c394d6cf89ccca
SHA25659cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa
SHA512006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60
-
Filesize
329KB
MD562d2156e3ca8387964f7aa13dd1ccd5b
SHA1a5067e046ed9ea5512c94d1d17c394d6cf89ccca
SHA25659cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa
SHA512006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60
-
Filesize
18B
MD511bc70016f1fde86d2cdce0846a5076f
SHA1d01eb4d8423b89b743643b80b1fb8e649cbad4e5
SHA25694568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c
SHA512e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1
-
Filesize
1.9MB
MD5590b1a7d37d12106e1dbcfd063b23398
SHA1789e25388a35a54fcf3f956cd582fa5c4ab3f595
SHA256663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322
SHA5129c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96
-
Filesize
1.9MB
MD5590b1a7d37d12106e1dbcfd063b23398
SHA1789e25388a35a54fcf3f956cd582fa5c4ab3f595
SHA256663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322
SHA5129c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96