Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 06:00
Behavioral task
behavioral1
Sample
HH_OODefragV10_LY.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
HH_OODefragV10_LY.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
KeyGen.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
KeyGen.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
新云软件.url
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
新云软件.url
Resource
win10v2004-20231215-en
General
-
Target
HH_OODefragV10_LY.exe
-
Size
19.3MB
-
MD5
67f81daa0c91fc86467e2c3b437ab2d4
-
SHA1
d1f1944e9ea5fcfd9f551987bc53da4f07041098
-
SHA256
69135826d920f833561db730919451d3253dab4c3e46d2bc33df47eb94e49d45
-
SHA512
7c7fd3ba59f724c1cc9596c2e068d5d697457f9c26c3d25398de63790abbbccca5e5f8de9a4f19a309e40ae0e8f5e6549a213f2476c643b1da585a912e006e98
-
SSDEEP
393216:GomzrBaqIKvBl8CUwFcqHDVLU7ouLPIFKVhm6ZTnqXwP0vo4cS:SbdB2CJcMDVQ8uLPlyNX20PcS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3040 O&O Defrag Server Edition CHS.exe -
Loads dropped DLL 1 IoCs
pid Process 1756 HH_OODefragV10_LY.exe -
resource yara_rule behavioral1/memory/1756-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1756-8-0x0000000000400000-0x0000000000427000-memory.dmp upx -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main O&O Defrag Server Edition CHS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 O&O Defrag Server Edition CHS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3040 O&O Defrag Server Edition CHS.exe 3040 O&O Defrag Server Edition CHS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1756 wrote to memory of 3040 1756 HH_OODefragV10_LY.exe 28 PID 1756 wrote to memory of 3040 1756 HH_OODefragV10_LY.exe 28 PID 1756 wrote to memory of 3040 1756 HH_OODefragV10_LY.exe 28 PID 1756 wrote to memory of 3040 1756 HH_OODefragV10_LY.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe"C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\GCA8E1C.tmp\O&O Defrag Server Edition CHS.exe"O&O Defrag Server Edition CHS.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21.4MB
MD5acb442ab6e8161f0629b2d216ccc0185
SHA182d10351dce485ad6fad7aba509cf5c481e99962
SHA25695c83bff9b8c7b12ef94db4476da99879598aa0cc193600617082901ac2b2198
SHA5121c03f9347f45405fe3e40da31644f172f4d4a39417de158396792289fcdd83ff3e7e2442f2094e32c8f3c7e9ea95a2782e89d64012aaaaac35fc8a7c32350dd5
-
Filesize
20.4MB
MD574cb794908d0cdccdefc0cbc3d6680e2
SHA15b650e06d7d8a8f2b953d52d7368f2b4adb7bbcd
SHA256006d09bd8992ed1c7b92fc523702ca46f8aea549eb7af8d49277a885d0c0acb4
SHA5127f9bef4fea268d6ea492627f8ff3ecba7b6b9e251756ce3b74e113966f62072262de250eae849c4f44a3819a58670040b25e2bccf162fbd9c254f30f3f114105
-
Filesize
5.1MB
MD5e753202678c30a5f7c9aa1a4c98ce815
SHA1d86d199e0c7a12378f8f4df72c0e88c6907c6bb0
SHA256f3a91a818e2c9307dd82eacd33526c9949e8e1771bd501da969331e0018b4caf
SHA512cd920bfc247a6d82fbfe9c510b60cef41d509d6cdd4cd69ebed6ecfce2a5e426b76543d48a15355ec74915839c9204904024467a29444d356028982aa39e721b