Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

58342456b7...0b.exe

windows7-x64

3

58342456b7...0b.exe

windows10-2004-x64

3

$APPDATA/C...er.dll

windows7-x64

7

$APPDATA/C...er.dll

windows10-2004-x64

7

$APPDATA/C...TV.dll

windows7-x64

1

$APPDATA/C...TV.dll

windows10-2004-x64

1

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Communicate.dll

windows7-x64

1

Communicate.dll

windows10-2004-x64

1

MSINET.dll

windows7-x64

1

MSINET.dll

windows10-2004-x64

1

PSPMencoder.exe

windows7-x64

7

PSPMencoder.exe

windows10-2004-x64

7

QvodPlayer.exe

windows7-x64

QvodPlayer.exe

windows10-2004-x64

VnetClinfo.dll

windows7-x64

1

VnetClinfo.dll

windows10-2004-x64

1

comdlg32.dll

windows7-x64

1

comdlg32.dll

windows10-2004-x64

1

images/list.js

windows7-x64

1

images/list.js

windows10-2004-x64

1

mod/CCTVPlayer.dll

windows7-x64

7

mod/CCTVPlayer.dll

windows10-2004-x64

7

mod/CCTVUp...ll.dll

windows7-x64

7

mod/CCTVUp...ll.dll

windows10-2004-x64

7

mod/Reli_CCTV.dll

windows7-x64

1

mod/Reli_CCTV.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PSPMencoder.exe

  • Size

    2.5MB

  • MD5

    8464394f47d1b2b00944b6bd75ba5226

  • SHA1

    b3b02c06403a64f9d360225f7923f1e19c00a539

  • SHA256

    31405f0862472d9877ee66fc592c5d50e0ec5e44725831932593088202cca642

  • SHA512

    f413ed1a2f966e9364138b30f23320e9d531d7926013352d70c7896bb4b8fe926b76ec7546fcf1a50e5068624012312b275d5067f3f44c82b8a406c17c029cfe

  • SSDEEP

    49152:SQQ99NtzK6mlE+t7U20LlzFAhVf+5XWV6lFO9RC4LcWoRCdUPjRUir:aD+dU20LlzFAhVW5XWQLO9RoRCdUPjRJ

Score
7/10
persistenceupx

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 8 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe
    "C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe"
    1⤵
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Users\Admin\AppData\Local\Temp\QvodInsert.dll" /s
      2⤵
        PID:1060
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 "C:\Users\Admin\AppData\Local\Temp\VnetClinfo.ocx" /s
        2⤵
        • Modifies registry class
        PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c regtvdllCCTVUpdateInstall.dll.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVUpdateInstall.dll" /s
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          PID:4752
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c regtvdllCCTVPlayer.ocx.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVPlayer.ocx" /s
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          PID:4540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c regtvdllReli_CCTV.dll.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\Reli_CCTV.dll" /s
          3⤵
          • Modifies registry class
          PID:4704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\QvodCfg.ini
      Filesize

      292B

      MD5

      a671d3d075bd4fb6e24efbd2ff6b984a

      SHA1

      ec6cc7b141cdd5cd45a198dd20878f8038364040

      SHA256

      b315b489492b336207dea7f9a956d1da68405ddac8f5e0b81b14d5dead1e1f29

      SHA512

      bc194acfd64d274febee0d6876544c3a3ee759f84ecc0c4b098d1a88d2e26405f6c4d19d320b7ca63ff94f1e07e798eabbfbc3bebcf38489599c9b60207a56b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\config.dll
      Filesize

      185B

      MD5

      3a03fd02ec2c4a8594040d25e1234ec2

      SHA1

      41c9dbc98f14f04bd88b2149d615f96758bbddb1

      SHA256

      207ccf7b56f8a780d2cc2b744d32e52fdd4ce6074ca94ad4153160469f7e99ad

      SHA512

      a5a3d4c8de44eb81fbf4d036809b12318f919a3941d9e99f8e8d7406c4eb4874deb274905a8d20cbf44c64b27e0b2d822cdde661e9ea88933c889e5c9e5e9461

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVPlayer.ocx.bat
      Filesize

      122B

      MD5

      c444d18db692685402218008375621d5

      SHA1

      16df7100180f98f284f7e1e03b12ad2acd67bfbe

      SHA256

      cdc0acafbe9318790cc423af79b78dbe1312566177f7968f193f0538948ed31d

      SHA512

      7ad2265cfb2995c738652accc6e4a52ca1b8360594e54687a01972954f6179ff7228ab1ab075387b7b2b14780b7b58235312288b39b781031a87e614ff5f4784

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVUpdateInstall.dll.bat
      Filesize

      136B

      MD5

      093157afd2189f85f6ff43f1c7d346f7

      SHA1

      fa3bf14e8815b35ce8e7ee82d3007f06321c2b5e

      SHA256

      f049fa2c8465660a3b10db1ecb6bc9e0d2aaa1e5176ee2b90e1ac6fc1a561a75

      SHA512

      df5b31570160516330f6a553dbe69ebb496107df6efa0023baa3f019fad7f5cd6da66c5a80116adbd344e3068086eba6068793c5309a1ee59b4c5306bb6ba62a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\regtvdllReli_CCTV.dll.bat
      Filesize

      120B

      MD5

      a3b3e0b89cf93ff854bac31c0f5dd47e

      SHA1

      0d92e673cc424d60eab529d8af01148fb106825b

      SHA256

      414e23a013713aadcc561d23d04f62c95b8f74c47fef2cdd6e1c67baae4db06f

      SHA512

      d98f8826f43a1642c23110b2c21538a145ae2ce54379deb6f55c2a291a3726337c48b519631dee7904be7810e08d21f7d3434024cda1bb1220997ec397583c61

      Download Submit

    • memory/2296-2-0x0000000002320000-0x000000000232D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3412-85-0x00000000047E0000-0x0000000004C5C000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/3412-86-0x0000000004620000-0x0000000004710000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3412-125-0x00000000047C0000-0x00000000047C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3412-89-0x00000000047C0000-0x00000000047C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3412-124-0x0000000004620000-0x0000000004710000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3412-112-0x0000000004620000-0x0000000004710000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4540-84-0x0000000010000000-0x00000000100F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4752-88-0x0000000010000000-0x000000001001E000-memory.dmp

      Filesize

      120KB

      Download