Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 04:30

General

  • Target

    543f94e0db26cd67c410ad93a39a1641.exe

  • Size

    1.8MB

  • MD5

    543f94e0db26cd67c410ad93a39a1641

  • SHA1

    cfe8c29608a786d77947eb64f510f0439bda255f

  • SHA256

    e158175f492800bb1e95b3adbeefcb4302ad273ee383bf71258ac251dc23e06e

  • SHA512

    ba3d784e987fc335a636e4c9ff25242f2225a9f0adeced2b8e5d237e3630745705316bcb8d1f55bb3232825d9e6ef1cd0b276def7deceb0fec80ad86d4134876

  • SSDEEP

    49152:hSV5acHAHVpS3NIPO836h7FmutmHgKJ4qtDzS:hSTgHVyNIq/mOV4Dm

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\543f94e0db26cd67c410ad93a39a1641.exe
    "C:\Users\Admin\AppData\Local\Temp\543f94e0db26cd67c410ad93a39a1641.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.81830.info/tg14.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:472078 /prefetch:2
        3⤵
          PID:1816
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ie.hi2220.info/ie.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2632
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.banshao.info
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
      • C:\Users\Public\Desktop\forqd340.exe
        "C:\Users\Public\Desktop\forqd340.exe"
        2⤵
        • Executes dropped EXE
        PID:1724
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3008
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe" /s D:\55.reg
      1⤵
      • Runs .reg file with regedit
      PID:1060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e4d75f4d90583295206cbb2c9756c1ad

      SHA1

      091b1681814747f8342c0cb0c026d52656c1abd2

      SHA256

      794f7a9933e350ed845c6dacdd4262328181f86c32bc76401bf09e66f8af7eae

      SHA512

      ab617b701c927641ece3b9066e7ebab0a8b17d250a4f1bd4d378dbf781d3669780f55107fdeda00b62d717e5ed101cbaa17629a3ccd483a7a974ca242d062ee7

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E7A4511-A9BE-11EE-AFC4-6E556AB52A45}.dat

      Filesize

      3KB

      MD5

      c844c6bee1c938c89c4e96aed6a05ff9

      SHA1

      ce251fe0093802482cb707a148b02ce1459c8307

      SHA256

      f9b74b0a7e9b3076e5180b0156c6e7bfc45d355a72e2aed75d8cd4f0634b9034

      SHA512

      777e84b0528ad11e14d6fdbf0974b6dd6736280988e532c8a929d5aa0c19f5ef59f9b2125d8d354fefc4e3698e05cdd105cdf2ea59e4d0d4b3d952bf2908d58c

    • C:\Users\Admin\AppData\Local\Temp\Cab5515.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar5518.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • C:\Users\Administrator\Application Data\Tencent\AXSEF\AXSEF.exe

      Filesize

      2.0MB

      MD5

      87f65f68a64ff96a88531a833c364f3c

      SHA1

      6ad103c59cfc74bd209b2499f3c1d068e347f9d2

      SHA256

      0205dc4935a103ef873c189ff6fcb5424e15ee5dde632a7d3069e904b548b2be

      SHA512

      d05b851cf1d11a5125ca8ae99272fe6c7cf88ad769b0858ed60654fad971b8e30b462b6d9805e07ef83cc1bf716ee19e461284d62279a75ba2186a93aef144e2

    • C:\Users\Public\Desktop\forqd340.exe

      Filesize

      65KB

      MD5

      f56a9f4fb234f8e9d99d0d1f5df7a7c8

      SHA1

      537164ac2e818111ee88eedc0a1bb7e6e2892d52

      SHA256

      5a02a12be400b20af76972abc833223d42e7d0c5f707cac3979849ec3d8b330e

      SHA512

      7fad89eef202f074eb212cfa7afdd5c285a134dac5248a7407957eed73e8bc21fa8af8760d1e5da5bfd41ffe9564cb3af5075a87cded390132f602a0de182e63

    • memory/1708-500-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-0-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-501-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-96-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-510-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-513-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-514-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-833-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-954-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

    • memory/1708-955-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB