Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
Crack/ReplayConverterv230_Crack.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Crack/ReplayConverterv230_Crack.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Crack/非常世纪资源网.url
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Crack/非常世纪资源网.url
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
RCSetup.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
RCSetup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
非常世纪资源网.url
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
非常世纪资源网.url
Resource
win10v2004-20231215-en
General
-
Target
RCSetup.exe
-
Size
27.0MB
-
MD5
291df52c0e753c81bd381d68c5ef2789
-
SHA1
9dfe31c0d389b29acaf6f8eaacdf79c753b3e03c
-
SHA256
1e2bd3aca04c2675a3dfa0897657bb8ef3aa789b3df799fd67ae1cb9a2f62e45
-
SHA512
3f1c6e39da4ebd62df4c7f27aa30e3f6367408515f1e40dbe4706c275dd1d9a822e6edc178467357c9be82e8608f5c5923e367f73263e4347000e8e0f42eef2b
-
SSDEEP
393216:k27vCvphdDXzUH3GFZXvLqVrGwQ33EYf9Nz73R5weatxXmpGxAb8Lx1N0p/hK:k27qXhZXe9GFH5RNatxXacoppK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2380 irsetup.exe -
Loads dropped DLL 4 IoCs
pid Process 2128 RCSetup.exe 2380 irsetup.exe 2380 irsetup.exe 2380 irsetup.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Replay Converter\Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2380 irsetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2380 irsetup.exe 2380 irsetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28 PID 2128 wrote to memory of 2380 2128 RCSetup.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\RCSetup.exe"C:\Users\Admin\AppData\Local\Temp\RCSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\irsetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD59c53a90ebe27452ed61847d6c8789759
SHA1fa378c148053202a460b2ff5a658dd16e9c9135d
SHA25649f7c7f492514fa4113748091c44386b32573494ca4cce7c4d61ad7f8d692984
SHA512e1af07ffe662d4e47e108a38d8c793ef77901635f96277c6a1385d41149ef145645b6625d1db171b1bc40a18dd7457941447d4130c7b9ace8ba31daf602ba964
-
Filesize
51KB
MD5abd5e130918db8dad211bafc3fd4ab0b
SHA1fdeed88d53ad209b9239aa29e6b4610e2a43e10d
SHA256eb97b033666c2a928d20cb4a089c38a87a67146e9555bd5cad4e0d82980d4450
SHA512326dcde0468e4e9bfb4f02f1a719c3461539614022b67697a8f84222ad13274efbf0ef26a1be795254b5b897e217896e4675a7a531f82f9c942870f114a38c59
-
Filesize
40KB
MD510b0b080f290172052bcb416c00d54fa
SHA12c45f2cef5d4c56f5bae08b7a606e8c77b8dda1b
SHA256d55cff09817350e4881317c1b49020af664ba8f7e7edadf4205f58be11c3ed88
SHA5127075cefaacb4dc54630a2e18c299f986050cd259178fc7ccf69098b28a16d4c7d720febe0d413254530f07b5af7c4af9d0e9630de68895bb5427f68fe1ff879d
-
Filesize
80B
MD5ec0cc8d7f9e6dfe67829b5238923c397
SHA12e200d9f2d19f8e5b96d20cc4117ebc14878cb14
SHA2563f2478c10544c6bfce42702f432eb8bb8d3c318beda77e5718505b23a68ae05f
SHA512e2ebe69b8f4a7b355c83398e2c086240cc3a41f8823ada5935fa14645190fe8ac1879957e649712477946e64175b3b124d7ad286d6b64b485e7d1a4e5e5b6375
-
Filesize
15KB
MD5cedffa2264d312a7ca515e64ff34b814
SHA13f2c492765f8e6f50ec8b0d3580a8b81f2fe108c
SHA256b13b8d36a80294fb22f2e166a307f6dab26cef2b7f4be3067571731d7cdf424a
SHA5123c42ba97bac9aefeec0c1190c9375893eafb8f230339b141a1fdacb51ff994f9d362988273a53144e689f90ef62dbee0a2063e49523d73ce55a6e72673f9b638
-
Filesize
640KB
MD5ae28c59ffd5393a69ef68c41be64209c
SHA17775613f8d15fed36155e43d5336364681caacde
SHA2561d9f8c4ab0ff2dd0c1f8dce59bab5bb2d4df2811aaa08205a66d5fb96425aaf6
SHA51296c22e02ba975119256622d55a9372e0fc41d9e91e355195379a76991db706b02b64886e685b69bc5031c8b97c29e950e72c03ee11632a921453f071238d059e
-
Filesize
479KB
MD59665a2a4cc5c793356cdecce7d35cabd
SHA16370ca03f28dd21d86e286e433018c69e4d61ac7
SHA2560cb70eb89cae91a4bc10b2f9ab60c4f95c9276a78fa92ecdb47e7e4841483ad2
SHA5126d9f65eb5b28a2da55ae806259758539ce5ea87af9cc7198b73a0245f977addd398a398c4c2119839e0465586715f3a27c3737be0778a17910136863cc6dfee8
-
Filesize
720KB
MD5456462905091db042141487fe030e3c9
SHA1bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7
SHA256a93dc5e28d74ef40dd5d694aff7fb5f24c27dac4b59adae008cfdc5ca65587b0
SHA512fdd82c126189454352b44c756be06e3e93ee26a93b56d99c3eb5254cac3f6d6ed71556765b76e65bd75efad461972044ce829443c006fc0816a28f7b4493296f