Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 06:00
Behavioral task
behavioral1
Sample
HH_OODefragV10_LY.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
HH_OODefragV10_LY.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
KeyGen.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
KeyGen.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
新云软件.url
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
新云软件.url
Resource
win10v2004-20231215-en
General
-
Target
HH_OODefragV10_LY.exe
-
Size
19.3MB
-
MD5
67f81daa0c91fc86467e2c3b437ab2d4
-
SHA1
d1f1944e9ea5fcfd9f551987bc53da4f07041098
-
SHA256
69135826d920f833561db730919451d3253dab4c3e46d2bc33df47eb94e49d45
-
SHA512
7c7fd3ba59f724c1cc9596c2e068d5d697457f9c26c3d25398de63790abbbccca5e5f8de9a4f19a309e40ae0e8f5e6549a213f2476c643b1da585a912e006e98
-
SSDEEP
393216:GomzrBaqIKvBl8CUwFcqHDVLU7ouLPIFKVhm6ZTnqXwP0vo4cS:SbdB2CJcMDVQ8uLPlyNX20PcS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3868 O&O Defrag Server Edition CHS.exe -
resource yara_rule behavioral2/memory/328-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/328-6-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3868 O&O Defrag Server Edition CHS.exe 3868 O&O Defrag Server Edition CHS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 328 wrote to memory of 3868 328 HH_OODefragV10_LY.exe 93 PID 328 wrote to memory of 3868 328 HH_OODefragV10_LY.exe 93 PID 328 wrote to memory of 3868 328 HH_OODefragV10_LY.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe"C:\Users\Admin\AppData\Local\Temp\HH_OODefragV10_LY.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Users\Admin\AppData\Local\Temp\GCA4C0D.tmp\O&O Defrag Server Edition CHS.exe"O&O Defrag Server Edition CHS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3868
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5a972d1fc4893c47333a3781d611b0b3a
SHA17f14eba8aa59020271aeddaee6f7686297243344
SHA256959fc08e20899e1133226e4cf469325a4a40e8532d574022afb8db85b328c878
SHA512835abe4ec48ed7c28321389621c928c16dfecafb8712dec7efe4daa2579268b7d4d172e6ff144be8bd337ce5bd553495c99131d99a67e9221d6766723ec19905