Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
帮助.lnk
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
帮助.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
新云软件.url
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
新云软件.url
Resource
win10v2004-20231215-en
General
-
Target
setup.exe
-
Size
10.7MB
-
MD5
a991512916e453a8984f7e066d698d62
-
SHA1
ebfe1576776dd0f5ac1b3e37afd1d87aa0faf8f6
-
SHA256
d4747292524dc2168431a7fb0151328cab9b0081843b6feb1a460f8fbfe24fca
-
SHA512
c9b1d3cbc6a8f19e05388535912bb9bcc35c9d0e8450939bf8678c84f9d30802b6602cb833a92918b2fe038e51ecbc48a38f9915d31f8ae6b28810ea5f41fe2d
-
SSDEEP
196608:1a66Jc279kJcPT2a0BBxyk5T4S32HWr3d5MracOqLSJmg1Hw0:1FKfDCa0BB4k5T4S3Zr3dmJvrWHd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1748 irsetup.exe -
Loads dropped DLL 1 IoCs
pid Process 2024 setup.exe -
resource yara_rule behavioral1/files/0x0009000000015d23-1.dat upx behavioral1/memory/2024-5-0x00000000022D0000-0x000000000240D000-memory.dmp upx behavioral1/memory/1748-6-0x0000000000400000-0x000000000053D000-memory.dmp upx behavioral1/memory/1748-20-0x0000000000400000-0x000000000053D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1748 irsetup.exe 1748 irsetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28 PID 2024 wrote to memory of 1748 2024 setup.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:542221 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD520c0416799e86e25d0f300bf8bb34e40
SHA17d5b59f2e39ef66b040b91fb29d650bc0de94f2f
SHA2565430a1cbb3b4495cf1af10259844ae1f61cd14de54e6878283a4e54d5d83c3f5
SHA512d8b5d3af3706773588434d0d9ab1e993293ff120bd067f99518551af5f600e460ff4090f463b5b99bda2e272764e1d15208fce14a132fe8f91217b4ea1afeb49
-
Filesize
461KB
MD51c58b6ee4cb9561e81095b76656a2ef9
SHA11a7a7b05f97aa0d5280e423f5712a71d26a7c724
SHA256f3361c6d49a75c7a7d6a1cba252d5ca4a178ee69b7a07e1fa2ed28820f6b7cc7
SHA512106cbdb37d592b4586c206981e44f928e875c7497471f55031ebf7de0aaa0ace09e7fa028fc31a34aa6822415b068a91b4f3f297c7216171d07f6a50b9eadbf1