Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Install.exe

windows7-x64

1

Install.exe

windows10-2004-x64

1

Setup_00.exe

windows7-x64

8

Setup_00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup_00.exe

  • Size

    1.2MB

  • MD5

    d59834b63e2b500a74130c07bb801ce6

  • SHA1

    2bb98af8a9f643d4ba1ec1b7166b197526e3c30a

  • SHA256

    c3c52be4316da1412f125ed5551a282ca977fb2764ad15074ec3bf91803e8678

  • SHA512

    89011e6bffb19121b2751b8cfe777bed8f5e898dcadf764f38d4726eebbbc5889874a7ee5c58ccbb77f268566807626845b815e71b7d7be0fa5d43b06e491ae4

  • SSDEEP

    24576:bPkPHxZN84YhACUpsjQ9XaqK/FSCwhSQoQWD7zBNDujvbOHMm:b6ODhAmWK/vXDPfHMm

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup_00.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup_00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eToro_MusicOasisInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eToro_MusicOasisInstaller.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forextrading.exe
        Forextrading.exe
        3⤵
          PID:4028
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vd.exe
          vd.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1636
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\appsetup.exe
      "appsetup.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4936
    • C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe"
      1⤵
      • Executes dropped EXE
      PID:780
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1732
        2⤵
        • Program crash
        PID:4252
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2292
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:5008
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1208
      • C:\Windows\Explorer.Exe
        "C:\Windows\Explorer.Exe"
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4000
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 780 -ip 780
        1⤵
          PID:2972
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4028
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4740
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4768
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2484
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:5408

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC767.tmp
            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZ64U2GI\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
            Filesize

            36KB

            MD5

            0e2a09c8b94747fa78ec836b5711c0c0

            SHA1

            92495421ad887f27f53784c470884802797025ad

            SHA256

            0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

            SHA512

            61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
            Filesize

            36KB

            MD5

            ab0262f72142aab53d5402e6d0cb5d24

            SHA1

            eaf95bb31ae1d4c0010f50e789bdc8b8e3116116

            SHA256

            20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb

            SHA512

            bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133480360372168813.txt
            Filesize

            42KB

            MD5

            dae8ac8e9f8601711475d3b922cfbc2e

            SHA1

            c3cb9738b4e8e132817b4580586a8c873aa6b28b

            SHA256

            247a3481007bae110191c0abe9bba7731198cc7bfc0949dc665d5b12458e4613

            SHA512

            ac7ac71048777f189e0ef595873194e78ef42c88b88eb774a78a87db7183beb9f2b170ee759487e675106b692bd20ee95ae21566d8a1f8954a43c377b626784f

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133480360441345573.txt
            Filesize

            74KB

            MD5

            c09e63e4b960a163934b3c29f3bd2cc9

            SHA1

            d3a43b35c14ae2e353a1a15c518ab2595f6a0399

            SHA256

            308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

            SHA512

            5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml
            Filesize

            96B

            MD5

            b97f6e2cc1520a2e8426851cb68f3b0f

            SHA1

            33a930fe90facb202ec3cd87ca0275af9dd20155

            SHA256

            a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa

            SHA512

            9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forextrading.exe
            Filesize

            88KB

            MD5

            598f9afd28efe3a5a18c78a446f0de2a

            SHA1

            4deee6b34503405ad3ebd397c016a9d3feb87548

            SHA256

            393c880dce25c5d586b31e6b97e07421e0923f2865199be8e762eedf260cd048

            SHA512

            7c6764b70b44fad8a44b21a8c604123e767fa07097ecf5b3b02f29c230a32956abd0009b49c737a62aabffcb36f06e492b3e60e31abccee6384069cc4feb9dd0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forextrading.exe
            Filesize

            66KB

            MD5

            046d484a9daaa71c115497a20b6f7710

            SHA1

            6a57864a95d49e713aa8079fef3d3b63f56404f0

            SHA256

            4ec7624efa9f4c34648cd07b160dca0ac38719082f4f235b224b0496ec278d28

            SHA512

            fe502265c9f03733a0c9a1345aa653b711c7d3e1ee3e4577108c21a7d32cf43d6e5bd69511b3c036dfdf7d342480d972a5890fc2e21146aa41eb0655905eabf9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\appsetup.exe
            Filesize

            64KB

            MD5

            953b746b3f8ce65741184f8426eaa6c8

            SHA1

            80e3dbc5c052560ba640b6c3948b0e0108126097

            SHA256

            2a3b34923ef6c28010e7698fc766c6f78df6710436b3c64fcce56ee14d698242

            SHA512

            fdef73af2833ab97202e2ad53b739a76adbe0606da8afe47931319d495f6e5fc3b260cc8baa3918f1c98416db31a10d55a4d5188154080cb51d80ece98fa3a45

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\appsetup.exe
            Filesize

            48KB

            MD5

            7958ada374854f55e23755d649899255

            SHA1

            d22d13c5cab73853a072920d673eef3c334ca234

            SHA256

            4f28eec99c7c8cd616a9fb89b7f3a580991befe59e38c0b1b678f0c3820baf54

            SHA512

            4e449db1f22ecebda8aca9837da31cb2e81959d3c345aa2686942008cbb794bb6fe0ad149d9c053921bd58875cea6dd098dd67d57402af60f551cfbeb7285bf9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eToro_MusicOasisInstaller.exe
            Filesize

            68KB

            MD5

            0384c2fd3da1561307ed90feb4a3354a

            SHA1

            6cf354ebd4072289e01671268e0af93de507a5f8

            SHA256

            dd14d9f791bdce9f088d62a2dc1af19479acd953a99980088c58b8ac80770d95

            SHA512

            cf8f83a74e949adadd1922cd8a9a77467a1b10603f23edbca30300177864357790026f22a8699a32b4373dc19919c039a1a13f769cc3e0c8b31186367705be02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eToro_MusicOasisInstaller.exe
            Filesize

            78KB

            MD5

            a8b99d92d616bf1d6983e389e769c8ad

            SHA1

            f955af82ce4dba4f180255d2119f7efdb672c4c6

            SHA256

            53747ccf95149df2a34e77669ba75e71e60121d7006951408e0843dd6faa8b86

            SHA512

            72afa4fbb5f89814197fb2b632d61f3f4deb54b8ba421f31e8ad732f21bc5013ca193af36cdaf0f2e83e6b518e5ae956b6603bedd3126d409ff63cfa5756d0b7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eToro_MusicOasisInstaller.exe
            Filesize

            71KB

            MD5

            f3a3190d7adeac3483de17734f78f1bb

            SHA1

            b296c887532729c920fb8772877e1f135706a34e

            SHA256

            53bc2736e0198549901d6c93faa4b709ac6e2d517f7549c7195cb17011fa09ed

            SHA512

            3206a5f7aaec7300f3d128551e17bc3b5221c1146f2dd888e4b7a9f54089159d7b0b28a1134d4d1d412201439ab57fd51ab48734a3808834560bab9b247457c3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vd.exe
            Filesize

            50KB

            MD5

            5e9015cf5ded25fa0e03f67d4d6e472e

            SHA1

            db44fdea94feae4a3df03d6ca966aeef86a9557e

            SHA256

            5ba4b4e98cc0f75e94c2f9e24ad0ce1be23c0d9ac0a022b90b96c8d304a4608a

            SHA512

            5e18f2948e984c61db186a16621c303338a10f733050b5362b5539c6b04a5e1e51a1f64553f2f7d00d40326e4e7a3b94d0f65a27a0561991c93490a026d4693b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\aut46BD.tmp
            Filesize

            76KB

            MD5

            4f372dff70949fa331d5ae41fa2f0a8c

            SHA1

            87fa0451654e2187ee343074f7c2b909ad99f61a

            SHA256

            5f1de230e4d46dbcc2936b8f3fdcc2dd897ab56ae95e0de9e7975d1b72271861

            SHA512

            e4427b41ef3b25427ae624f7224f4761b604d71a587cbe595df3329c485802ab5fdce597428ba385206452bb60111e25386f9b787b7b76f49767c7a2c966b861

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
            Filesize

            72KB

            MD5

            5189c15387de17b627765ac3d8c9f34b

            SHA1

            e90de0b2158b02ef345b8bc3904a6eca1ee4a520

            SHA256

            a3d51693013624959c979dd4bcb6f7b84b0767294ac74463361eb47f39e125ac

            SHA512

            76138e0493f533f5654445a3999721935ad22613319f03b06146af609e987ba75839e663588878fcaa516e60915ff3677cdb1d8587655bcb287caff17f1a2ebd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
            Filesize

            53KB

            MD5

            c71de96291d736f7e8bbdfba52faa0c9

            SHA1

            26da1aa80c9d1e75e3cddd21afb2ffc4029027fd

            SHA256

            a13d2847dab7c8d59563387f7ea09b3664abd43caf8ebb4d577a7e924f16037f

            SHA512

            3a6755325c8d72e902eaa60e70b2a230d25bde5873823c8429d00b3ddbd702e9edc3f452ba1121b0378bf74bfbd49a38f8353aa23b9bf3b6975a57a56412e689

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
            Filesize

            53KB

            MD5

            a09b20387847019bdb827e2581a547dc

            SHA1

            57b21efb20ab2f9610a1cb115283ac1cb70c2b8a

            SHA256

            f7dd2c1bc7987fdb20f84c957cbd79b049a91719c345991642868ae93d256cda

            SHA512

            cdc9b7894f8a13c1f474ccaba67c2fd1223d49cb4b872efed0ffbdc2a36411279d4a44d680a23caf013e44c0dc3699ef0df47577580e9471de680893cc3b1e9e

            Download Submit

          • memory/1684-56-0x0000017D95A80000-0x0000017D95AA0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1684-54-0x0000017D95AC0000-0x0000017D95AE0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1684-60-0x0000017D95E90000-0x0000017D95EB0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2484-172-0x000001BA18960000-0x000001BA18980000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2484-170-0x000001BA18550000-0x000001BA18570000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2484-167-0x000001BA18590000-0x000001BA185B0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4000-47-0x0000000002980000-0x0000000002981000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4028-90-0x00000204C3F80000-0x00000204C3FA0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4028-94-0x00000204C4350000-0x00000204C4370000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4028-92-0x00000204C3F40000-0x00000204C3F60000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4740-112-0x00000170F1A50000-0x00000170F1A70000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4740-110-0x00000170F1640000-0x00000170F1660000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4740-108-0x00000170F1680000-0x00000170F16A0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4768-149-0x0000022D090C0000-0x0000022D090E0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4768-147-0x0000022D08CB0000-0x0000022D08CD0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4768-145-0x0000022D08CF0000-0x0000022D08D10000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4936-122-0x0000000000400000-0x00000000004A2000-memory.dmp

            Filesize

            648KB

            Download

          • memory/4936-33-0x0000000000400000-0x00000000004A2000-memory.dmp

            Filesize

            648KB

            Download