Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3upgrade.exe
windows7-x64
7upgrade.exe
windows10-2004-x64
7$0/uninstall.exe
windows7-x64
7$0/uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$0/wyeke.dll
windows7-x64
1$0/wyeke.dll
windows10-2004-x64
3$0/wyeke.exe
windows7-x64
1$0/wyeke.exe
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
upgrade.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
upgrade.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$0/uninstall.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$0/uninstall.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
$0/wyeke.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
$0/wyeke.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
$0/wyeke.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
$0/wyeke.exe
Resource
win10v2004-20231222-en
General
-
Target
upgrade.exe
-
Size
655KB
-
MD5
6200fd0bf01918f26533c82758163b5a
-
SHA1
6b7397caf49036062dc8b7210c27e5a3e3fc36fc
-
SHA256
66f26009c24d3b893aed432ad50b80427869b78f17e1a1bb34cfcb0c5c9ee43d
-
SHA512
76be6261325f3e39edf07984179911ec3a86d24bea4db10e67dc8a49fb07d8db9044d9d725bbb81a0290fe865e71615cc662cebd985e6397d684f8cae8bd81e5
-
SSDEEP
12288:22mfYcDGg+uQdFGzJUoBIJPtx2nNtJhqmFi8plxgtj5SSiJtL3JL0T:ZiGFTdozH2AnNtJhXi8plx4j5itVoT
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2288 wyeke.exe 4092 wyeke.exe 1456 wyeke127.exe 1204 wyeke.exe -
Loads dropped DLL 3 IoCs
pid Process 4092 wyeke.exe 1456 wyeke127.exe 1204 wyeke.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\M8WGAVVO.htm wyeke127.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wyeke127.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wyeke127.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wyeke127.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wyeke127.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Wyeke\wyeke.exe wyeke.exe File created C:\Program Files (x86)\Wyeke\uninstall.exe upgrade.exe File created C:\Program Files (x86)\Wyeke\wyeke.dll wyeke.exe File opened for modification C:\Program Files (x86)\Wyeke\wyeke.dll wyeke.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x000600000002321e-34.dat nsis_installer_1 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wyeke127.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wyeke127.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wyeke127.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wyeke127.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wyeke127.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wyeke127.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wyeke127.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wyeke127.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe 1456 wyeke127.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1204 wyeke.exe 1204 wyeke.exe 1204 wyeke.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2288 2172 upgrade.exe 85 PID 2172 wrote to memory of 2288 2172 upgrade.exe 85 PID 2172 wrote to memory of 2288 2172 upgrade.exe 85 PID 2172 wrote to memory of 4092 2172 upgrade.exe 86 PID 2172 wrote to memory of 4092 2172 upgrade.exe 86 PID 2172 wrote to memory of 4092 2172 upgrade.exe 86 PID 1456 wrote to memory of 1204 1456 wyeke127.exe 88 PID 1456 wrote to memory of 1204 1456 wyeke127.exe 88 PID 1456 wrote to memory of 1204 1456 wyeke127.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\upgrade.exe"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe"C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" -r2⤵
- Executes dropped EXE
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe"C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" Install ""2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4092
-
-
C:\ProgramData\Wyeke\wyeke127.exe"C:\ProgramData\Wyeke\wyeke127.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Service1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files (x86)\Wyeke\wyeke.exe"C:\Program Files (x86)\Wyeke\wyeke.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Main2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5ff795d8c92ba9e210087811450f07b86
SHA16c2959c83a4c460b77a285473cb02de79d01d1b0
SHA2567911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68
SHA512951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401
-
Filesize
413KB
MD5f33ad3619c1ba627de703698ab868ce7
SHA1233d4feb619306fb68a75ddfaab9472d4edefe20
SHA256cb69db2772526eca4f570e8925c9343bc9960d7bf35a9b3fbc68defab83f88ff
SHA512e74094624e2f54bb7d8ce04830d99425bf731cf3b7b805625ff40c84dbbc57de50a5232e9e1d7557ea91436e84993fc61324bb7c95ebecb29cf1a7b3776440f8
-
Filesize
327KB
MD58bab6da6fcb55ff8fd19e4b040048248
SHA1ab485effea7263cec8b81aa0acf5d41a3af10249
SHA2565dbf62ee4208ac8608fc57da20b871896bc51a4e991b09e987c4542a51f94eab
SHA512188a4fd3b7f3c9b4a0f230ea3206e7a05da18f220318489b9262b82c2af7470e822a8d5f02798278b7193bda683b5c3ee7cb414bebc440afc8072a8edf88a9a8
-
Filesize
255KB
MD51ed9d05d1bb9ae6147f71c14a7c9692b
SHA16bd7276997464bcfe566917b358ada436e2162d9
SHA25684c73cdf41e385d83a8ea4635c5a77510316c0a193ec1204b3dbf9e9a77ca445
SHA512987a07631a786c237c7625b2bf8863408a6f3f2796dec6107060eb70c05fa3ddc189e57c0b186966dc2677affc3217dc1e7cf3ccaebf4ad3c66c3a56d273b375
-
Filesize
584KB
MD5485308e6665d76b37fec8acbd7598455
SHA120c6961f2c50c3ec6b9444bdd5c4e46563de5d53
SHA2560b1d29264ed12e4ef85e499babf83b702805a0647e5f2958f07ec5d32703e8e7
SHA5126c5481b985cbe4282d8835264f873ae0a603938d8fcf7dd134d4e17295d9953f4ac8c6c2fdd85f6330418b3e9b496351dcf9b6c80cabdb581575d5777d641429
-
Filesize
57KB
MD51a6a68ce5fbe650abca2450c245aca9e
SHA1f1d3aa00d1f60a0fc9e40e1da18a7ee5851bf493
SHA256bb957c094016983a5c41dd684a22b834024219e99bed8531f245d8753703b1e2
SHA5128763e3fab06a52c080243ea4b9ca8e0befc83c0f0afb5881d213c54ff1db5de3f3d3a529ed72c7e2da49eb696b28741f0abf9d367da5b346c7dc9368a22f98d6