Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

everything.exe

windows7-x64

4

everything.exe

windows10-2004-x64

6

everything.exe

macos-10.15-amd64

1

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2023, 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    everything.exe

  • Size

    1.7MB

  • MD5

    f55d52d5d690a8e1b2df9217bc3ddfdf

  • SHA1

    0e45d3a28cc096dc7edc1208f7428d66335df11a

  • SHA256

    59f57803fa5235075c3e470e1006905a61236e491bb75a599d862cafcfbb529f

  • SHA512

    4101015760dd2b1d9cbf9586802e610bbe6f74b73bc5dbb4391417afe8fa20762a84b04cd15019b54107d8ad0e4fc523f25403482431dd53aec3d07a4b217941

  • SSDEEP

    49152:p4JJILzCkp/SzrIXKgltQlZ9mwm/PU5KLOR0qkM8+Ou1:p4IuzrIXltEDjm/PtLORlm01

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\everything.exe
    "C:\Users\Admin\AppData\Local\Temp\everything.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Everything.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Program Files (x86)\Everything\Everything.exe
        "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Modifies registry class
        PID:1880
    • C:\Program Files (x86)\Everything\Everything.exe
      "C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
      2⤵
      • Executes dropped EXE
      PID:3748
    • C:\Program Files (x86)\Everything\Everything.exe
      "C:\Program Files (x86)\Everything\Everything.exe"
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1360
  • C:\Program Files (x86)\Everything\Everything.exe
    "C:\Program Files (x86)\Everything\Everything.exe" -svc
    1⤵
    • Executes dropped EXE
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.ini
    Filesize

    215B

    MD5

    b2b308d8c164f75bc11bccf7baf3df67

    SHA1

    6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d

    SHA256

    f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5

    SHA512

    5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

    Download Submit

  • C:\Program Files (x86)\Everything\Everything.lng
    Filesize

    912KB

    MD5

    ba118bdf7118802beea188727b155d5f

    SHA1

    20fe923ec91d13f03bdb171df2fe54772f86ebba

    SHA256

    270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

    SHA512

    01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Changes.txt
    Filesize

    18KB

    MD5

    1ebb92ac516db5077a0c851565b7a2cf

    SHA1

    9adabfbb11b070169429fd43a250285ee8881213

    SHA256

    e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6

    SHA512

    3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Everything.exe
    Filesize

    1.7MB

    MD5

    a7067594451cab167a4f463be9d0209c

    SHA1

    1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5

    SHA256

    d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581

    SHA512

    8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Everything.lng
    Filesize

    912KB

    MD5

    ba118bdf7118802beea188727b155d5f

    SHA1

    20fe923ec91d13f03bdb171df2fe54772f86ebba

    SHA256

    270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

    SHA512

    01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\License.txt
    Filesize

    2KB

    MD5

    2d8c6b891bea32e7fa64b381cf3064c2

    SHA1

    495396d86c96fb1cfdf56cae7658149138056aa9

    SHA256

    2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b

    SHA512

    03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\Everything\Uninstall.exe
    Filesize

    136KB

    MD5

    fc3732ef603b36055209652f749c1080

    SHA1

    bd8b0806abecf983c89814ab4dcbd3300a78fe88

    SHA256

    0deee0d9d6e140226de19047c0ab160ec957a6e4bf63bb1c058bac9f09c47874

    SHA512

    98ee82dfe67fa3d5fe2ae3977b959b0fb1277e5bdb320e7eca347771cd4ef8d8b99c6b3cefc0466347e8f49644386cc2d0f5f7a63eb5404a8371182bd880286f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    ece25721125d55aa26cdfe019c871476

    SHA1

    b87685ae482553823bf95e73e790de48dc0c11ba

    SHA256

    c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

    SHA512

    4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.ini
    Filesize

    1KB

    MD5

    b7b6902a9af60ca0e28fbd74a231b57e

    SHA1

    95e4931e80c2e611c0fcaec144b53e33104fba89

    SHA256

    a3eeb863a1c6b50c55480a599ed2c53c21e235449ddc7c26836b9b5622fe560d

    SHA512

    1b392fa81795b434b65edaa00dd60a5b0258bc14c04718b65ec9c3225e020a6005db34cd6a180b427e3f0b1a7d9e9d204d141c52b6f0b9c10943d39a16c82b8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.ini
    Filesize

    1KB

    MD5

    e76f78a30d7589b5455819ba6310915b

    SHA1

    7219300acff1cbdc0daac8e8f9c7ae6482480c4d

    SHA256

    7be4801f37c9476922593d85d79be1f9f65bba6c01e0f5964d867c72fccb6759

    SHA512

    0b03a9e0d6d4eb261c038338ba8c757b7b93daacc4457df4e37e8965b687b7eaea49ca0d97dd6ff15fdc57b3c91f34f17978fc7419bbff9167b47a3c0214d600

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions.ini
    Filesize

    1KB

    MD5

    e2808f4be298a32ae279ee9ebacd0a0c

    SHA1

    b7929c346ba7a7aa690a766e4f70bc1d44f75460

    SHA256

    99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

    SHA512

    a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions2.ini
    Filesize

    2KB

    MD5

    a6634dd375de49a06ff7c8c65f03bb42

    SHA1

    2834f907bb17d0916cfd1285718695f866e319d6

    SHA256

    caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d

    SHA512

    c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions2.ini
    Filesize

    2KB

    MD5

    9a4ef48b0a9dfe171a8218015c9034da

    SHA1

    628898bac19cc0332a2e0c4372e750a0a031a372

    SHA256

    b560dff977ae96a0311caa396ad4d00ccd009b23b8110f73b6fd77f1d3741acf

    SHA512

    8fe98427d3da85c63588cca4c177c8d99987a93e61efcfe903d5da2aeefe09dd561b2828c683d3b5ca1c19f2a2a90f3f3ad345f31a127f54b739820e186065b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\InstallOptions2.ini
    Filesize

    2KB

    MD5

    dde562c8e219f2976a8ca8b1cd751b1f

    SHA1

    23abb823ee9352064c54ce7859eb2badb26aa572

    SHA256

    073a00c3c1b10abce1362e84e4238c4b530e256a755005603a3506a401cf2676

    SHA512

    1d64d39e83f3471a0df932b563f3da3c78e2066dce96c8b9ae8b77fc3b4ea52620ae5e099ddbcdfafe545d27df0fbf58ba26e83944f99db79a6f35499b242d12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    68b287f4067ba013e34a1339afdb1ea8

    SHA1

    45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    SHA256

    18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    SHA512

    06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\System.dll
    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    baf2ddcb49e7127968246f7936287d56

    SHA1

    0d585b4da2552918494aaf1c36ce6a741b69ccd4

    SHA256

    25402616890f01b8bc06c61fb846556a19c1b42a9762eb33b41fb1241a8c76d3

    SHA512

    a7ad0dbac59d29cc8120b61cf83db4e9720f79d146bd14a909268a4845a0b583442a30657abaaa772376869d949bda74ec11761024fd3f505aa2f61a38c9b53f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfB9AD.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    905e24d630966709173ce6ab57b4c586

    SHA1

    eb6275f53911fc8838f75ff30d308a60c2bcad0a

    SHA256

    25b58156a706d9d21b71fa5a19cc58ec8e7e22ac464fbf80f0d79cb48880479e

    SHA512

    74ddedf31cee4787fbfad6bc7285ec3f02fca0bcbc3a39d1e1c605f6acc505e72d25a6cb9fa92d18bee64f0460de869be910a6a0720b3ef8fc8848686f2f2904

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Everything\Everything.ini
    Filesize

    20KB

    MD5

    49b6ff446eddaf88ea08a7c16792952e

    SHA1

    c0dc334f467d867f0e1d3fabd555ebcac395fc8b

    SHA256

    2fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580

    SHA512

    77caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b

    Download Submit