Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3ipchanger/...er.exe
windows7-x64
1ipchanger/...er.exe
windows10-2004-x64
1ipchanger/...er.exe
windows7-x64
7ipchanger/...er.exe
windows10-2004-x64
7ipchanger/...er.exe
windows7-x64
7ipchanger/...er.exe
windows10-2004-x64
1ipchanger/...32.dll
windows7-x64
1ipchanger/...32.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
ipchanger/Ip Changer Updater.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ipchanger/Ip Changer Updater.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
ipchanger/Tibia MULTI-ip changer.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
ipchanger/Tibia MULTI-ip changer.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
ipchanger/UNinstaller.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
ipchanger/UNinstaller.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ipchanger/comdlg32.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
ipchanger/comdlg32.dll
Resource
win10v2004-20231222-en
General
-
Target
ipchanger/Tibia MULTI-ip changer.exe
-
Size
670KB
-
MD5
8fcdd21204741520303cecfdc682b07a
-
SHA1
377cf064e94c9fed35533b93f9a8ad5295da3093
-
SHA256
9b91731987dc0fc29e8a7162c75d290dee41e64881cfe023eecb59c6575b523c
-
SHA512
8ad5c175e3bd6450432b498c23df820fdb8e4ea02ecd7e669ccf032822cd0ba8c81ef875e51621af80b5fc22bced9dcde0c3dc1118fc6946f7432bf905cac546
-
SSDEEP
12288:WczJJhqrVPaUm8xAivTWU71T9b/KiGGgZgpgz+QtLUXhmIUSSz3QhX/Qb/5sbvj2:WczJqVSUm8WiLWUBTNKSt2zttsmIDhYd
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3056 server_et.exe 2660 patch2.exe 2792 changer.exe 2804 mservice32_t.exe -
Loads dropped DLL 10 IoCs
pid Process 1032 Tibia MULTI-ip changer.exe 1032 Tibia MULTI-ip changer.exe 1032 Tibia MULTI-ip changer.exe 1032 Tibia MULTI-ip changer.exe 1032 Tibia MULTI-ip changer.exe 2660 patch2.exe 2660 patch2.exe 2660 patch2.exe 3056 server_et.exe 3056 server_et.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Update mservice32_t.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UpdateT = "C:\\Users\\Admin\\AppData\\Roaming\\mservice32_t.exe" mservice32_t.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2792 changer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 3056 1032 Tibia MULTI-ip changer.exe 28 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2660 1032 Tibia MULTI-ip changer.exe 29 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 1032 wrote to memory of 2792 1032 Tibia MULTI-ip changer.exe 30 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31 PID 3056 wrote to memory of 2804 3056 server_et.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ipchanger\Tibia MULTI-ip changer.exe"C:\Users\Admin\AppData\Local\Temp\ipchanger\Tibia MULTI-ip changer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\server_et.exe"C:\Users\Admin\AppData\Local\Temp\server_et.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\mservice32_t.exe"C:\Users\Admin\AppData\Roaming\mservice32_t.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\patch2.exe"C:\Users\Admin\AppData\Local\Temp\patch2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\changer.exe"C:\Users\Admin\AppData\Local\Temp\changer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD563d8d7d597bc262644d9147bd4983e32
SHA118d08e1b59af89b02a94f668b7102d9851178410
SHA25632cb2a88ab9d41d10575932947bdf8d7980ba1f3c7c9518f9a6167fceb49d7bf
SHA5129cb69feb0ad2d773115df65da61a467b2e89fbe390121a785567bb85459c965a191cfc75b077c32424109e315dba5c6ef3606356885c6abae0b67cf53421c1ad
-
Filesize
312KB
MD583b79d240a3157357302e17f895e2d58
SHA1fcce0055cc1113794e6dec7759cade70e763cd82
SHA2561bee75b32f4f147b383eaaff17e75ac9bd6fadcf6459bad318da91bbbf7102b8
SHA512c0e8af359bcf21f2007b016558635259ce338cafebe0978cea385248d522006d4d68534ed06a023653181fedcc39148d16b5e7e2da2909be1e4128da92f610e4
-
Filesize
995KB
MD5972c3e6ac723963ebbb18ec833ddde74
SHA1e628d6f40ce4f8f59f4e634eb41b5912a179f89d
SHA25697f8eff31b84792b9e61200c36063de55cb6a97bfa1316abc845f7134cdb46c6
SHA512dc4e912ee41c4b0ee991a55d7fec028a6d7c0366e8b81a2c0cf13864a961c941df1eb6c3bb892535975fc68e2aea8b837d55dddb8e9534feaab128b68b6adf9f
-
Filesize
434KB
MD53f3706b29643416b0ee909b73a3508c0
SHA1c30dc47f34c0309b41652f4e05a72cf2b7483472
SHA25634b01578044d4cb8454176b5b916cf77503de18687201d94c171e01c5a256774
SHA5122c65970c95f4d058fd50b5c64f0ac236c45ac5d5340f0ffe39c24c7c0a6629220806a9c21d76db0912f04465ae1ecd27fe24275a9388a083d4ddd3ccac60240f