Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 05:13

General

  • Target

    upgrade.exe

  • Size

    655KB

  • MD5

    6200fd0bf01918f26533c82758163b5a

  • SHA1

    6b7397caf49036062dc8b7210c27e5a3e3fc36fc

  • SHA256

    66f26009c24d3b893aed432ad50b80427869b78f17e1a1bb34cfcb0c5c9ee43d

  • SHA512

    76be6261325f3e39edf07984179911ec3a86d24bea4db10e67dc8a49fb07d8db9044d9d725bbb81a0290fe865e71615cc662cebd985e6397d684f8cae8bd81e5

  • SSDEEP

    12288:22mfYcDGg+uQdFGzJUoBIJPtx2nNtJhqmFi8plxgtj5SSiJtL3JL0T:ZiGFTdozH2AnNtJhXi8plx4j5itVoT

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\upgrade.exe
    "C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe
      "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" -r
      2⤵
      • Executes dropped EXE
      PID:2288
    • C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe
      "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" Install ""
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:4092
  • C:\ProgramData\Wyeke\wyeke127.exe
    "C:\ProgramData\Wyeke\wyeke127.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Program Files (x86)\Wyeke\wyeke.exe
      "C:\Program Files (x86)\Wyeke\wyeke.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Main
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Wyeke\uninstall.exe

    Filesize

    87KB

    MD5

    ff795d8c92ba9e210087811450f07b86

    SHA1

    6c2959c83a4c460b77a285473cb02de79d01d1b0

    SHA256

    7911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68

    SHA512

    951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401

  • C:\Program Files (x86)\Wyeke\wyeke.dll

    Filesize

    413KB

    MD5

    f33ad3619c1ba627de703698ab868ce7

    SHA1

    233d4feb619306fb68a75ddfaab9472d4edefe20

    SHA256

    cb69db2772526eca4f570e8925c9343bc9960d7bf35a9b3fbc68defab83f88ff

    SHA512

    e74094624e2f54bb7d8ce04830d99425bf731cf3b7b805625ff40c84dbbc57de50a5232e9e1d7557ea91436e84993fc61324bb7c95ebecb29cf1a7b3776440f8

  • C:\Program Files (x86)\Wyeke\wyeke.dll

    Filesize

    327KB

    MD5

    8bab6da6fcb55ff8fd19e4b040048248

    SHA1

    ab485effea7263cec8b81aa0acf5d41a3af10249

    SHA256

    5dbf62ee4208ac8608fc57da20b871896bc51a4e991b09e987c4542a51f94eab

    SHA512

    188a4fd3b7f3c9b4a0f230ea3206e7a05da18f220318489b9262b82c2af7470e822a8d5f02798278b7193bda683b5c3ee7cb414bebc440afc8072a8edf88a9a8

  • C:\Program Files (x86)\Wyeke\wyeke.dll

    Filesize

    255KB

    MD5

    1ed9d05d1bb9ae6147f71c14a7c9692b

    SHA1

    6bd7276997464bcfe566917b358ada436e2162d9

    SHA256

    84c73cdf41e385d83a8ea4635c5a77510316c0a193ec1204b3dbf9e9a77ca445

    SHA512

    987a07631a786c237c7625b2bf8863408a6f3f2796dec6107060eb70c05fa3ddc189e57c0b186966dc2677affc3217dc1e7cf3ccaebf4ad3c66c3a56d273b375

  • C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll

    Filesize

    584KB

    MD5

    485308e6665d76b37fec8acbd7598455

    SHA1

    20c6961f2c50c3ec6b9444bdd5c4e46563de5d53

    SHA256

    0b1d29264ed12e4ef85e499babf83b702805a0647e5f2958f07ec5d32703e8e7

    SHA512

    6c5481b985cbe4282d8835264f873ae0a603938d8fcf7dd134d4e17295d9953f4ac8c6c2fdd85f6330418b3e9b496351dcf9b6c80cabdb581575d5777d641429

  • C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe

    Filesize

    57KB

    MD5

    1a6a68ce5fbe650abca2450c245aca9e

    SHA1

    f1d3aa00d1f60a0fc9e40e1da18a7ee5851bf493

    SHA256

    bb957c094016983a5c41dd684a22b834024219e99bed8531f245d8753703b1e2

    SHA512

    8763e3fab06a52c080243ea4b9ca8e0befc83c0f0afb5881d213c54ff1db5de3f3d3a529ed72c7e2da49eb696b28741f0abf9d367da5b346c7dc9368a22f98d6

  • memory/1204-42-0x0000000002350000-0x00000000023D4000-memory.dmp

    Filesize

    528KB

  • memory/1456-22-0x00000000010D0000-0x0000000001154000-memory.dmp

    Filesize

    528KB

  • memory/4092-11-0x0000000002390000-0x0000000002414000-memory.dmp

    Filesize

    528KB