Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

UnlockTool...-0.exe

windows7-x64

8

UnlockTool...-0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    186s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-es
  • resource tags

    arch:x64arch:x86image:win7-20231129-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    12/02/2024, 01:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnlockTool-2024-09-01-0.exe

  • Size

    182.5MB

  • MD5

    d47143627ffdbbc4a487b6cf0832d9ae

  • SHA1

    652174cacdc5e773085061be52ce6783c81bec57

  • SHA256

    543b67bea0d897b65be998ccd2b0cc58579c21f249b94b9c7cdcfbfe9283de8f

  • SHA512

    c03b91257c3a212375ebd40670d199bdb33235e81a6146e062f0805c7165b3a3faa0e7554eb2599d8e5b5796f2b2a17ebfe809647e8be992a660ef3edf9f8497

  • SSDEEP

    3145728:bYMQFgo7i9qCKLKaPbYL3LUDpRuU24HGWmV+iB2x5MlX7GOzbm7sweWJlY20CeTJ:V6go7i9BtaDYL3Q/92FWm3XHH4sPWJCX

Score
8/10

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 2 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 18 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnlockTool-2024-09-01-0.exe
    "C:\Users\Admin\AppData\Local\Temp\UnlockTool-2024-09-01-0.exe"
    1⤵
    • Manipulates Digital Signatures
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2932

Network

  • flag-us
    DNS
    vntool.vn
    UnlockTool-2024-09-01-0.exe
    Remote address:
    8.8.8.8:53
    Request
    vntool.vn
    IN A
    Response
    vntool.vn
    IN A
    104.26.14.2
    vntool.vn
    IN A
    172.67.75.226
    vntool.vn
    IN A
    104.26.15.2
  • flag-us
    GET
    https://vntool.vn/apiv4r11/update/?format=json&tool_name__name__iexact=UnlockTool
    UnlockTool-2024-09-01-0.exe
    Remote address:
    104.26.14.2:443
    Request
    GET /apiv4r11/update/?format=json&tool_name__name__iexact=UnlockTool HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip
    Host: vntool.vn
    User-Agent: UnlockTool
    Response
    HTTP/1.1 200 OK
    Date: Mon, 12 Feb 2024 01:23:45 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    Allow: GET, POST, HEAD, OPTIONS
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CyPdFSEvaa8RyGX8qL4NmQjrb0LU5QNU1Dl3TCo4GhBt2%2FPW3ADCcc9YhgVpH9iw4mvN%2FgFli6Pksq4nd4vEbWUjQU9vq8bLdRK5FFqPDtFbBUESFQx%2F73m%2FLQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 85410727dc29732a-LHR
    Content-Encoding: gzip
  • flag-us
    DNS
    pki.goog
    UnlockTool-2024-09-01-0.exe
    Remote address:
    8.8.8.8:53
    Request
    pki.goog
    IN A
    Response
    pki.goog
    IN A
    216.239.32.29
  • flag-us
    GET
    http://pki.goog/gsr1/gsr1.crt
    UnlockTool-2024-09-01-0.exe
    Remote address:
    216.239.32.29:80
    Request
    GET /gsr1/gsr1.crt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 889
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 12 Feb 2024 01:17:53 GMT
    Expires: Mon, 12 Feb 2024 02:07:53 GMT
    Cache-Control: public, max-age=3000
    Age: 350
    Last-Modified: Wed, 20 May 2020 16:45:00 GMT
    Content-Type: application/pkix-cert
    Vary: Accept-Encoding
  • flag-us
    DNS
    www.microsoft.com
    UnlockTool-2024-09-01-0.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    92.123.241.137
  • flag-us
    GET
    https://vntool.vn/apiv4r11/current_time
    UnlockTool-2024-09-01-0.exe
    Remote address:
    104.26.14.2:443
    Request
    GET /apiv4r11/current_time HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip
    Host: vntool.vn
    User-Agent: UnlockTool
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 12 Feb 2024 01:23:47 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: /apiv4r11/current_time/
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kYMsY81LTAM7SZ%2FOAN8Vof%2BzXgkedU1vfbH58XnaMSyt65SqBNqV%2B87zeBnTF4chEoHD9vFZ4MRKnrM5TxVtRs%2Fq4N5U32z2zBgWW4YWSGRerYGgOK6A8OPmLw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 854107379a9f06b6-LHR
  • flag-us
    GET
    https://vntool.vn/apiv4r11/current_time/
    UnlockTool-2024-09-01-0.exe
    Remote address:
    104.26.14.2:443
    Request
    GET /apiv4r11/current_time/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip
    User-Agent: UnlockTool
    Host: vntool.vn
    Response
    HTTP/1.1 200 OK
    Date: Mon, 12 Feb 2024 01:23:48 GMT
    Content-Type: application/json
    Content-Length: 38
    Connection: keep-alive
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lFJRK%2BJNGLWm5JWna%2FqZTKxVQvkkHoHA%2F71jMEJume%2BVYCGuHCts%2FiYcL6FsP4kBw%2FxE1fE%2FtApHVtrh8EaFUY%2B12ltXEbNi58AcPs8elLa4rvUNOZGUiNr6VA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8541073e9b61dd47-LHR
  • 104.26.14.2:443
    https://vntool.vn/apiv4r11/update/?format=json&tool_name__name__iexact=UnlockTool
    tls, http
    UnlockTool-2024-09-01-0.exe
    2.3kB
     39.1kB
     37
    62

    HTTP Request

    GET https://vntool.vn/apiv4r11/update/?format=json&tool_name__name__iexact=UnlockTool

    HTTP Response

    200
  • 216.239.32.29:80
    http://pki.goog/gsr1/gsr1.crt
    http
    UnlockTool-2024-09-01-0.exe
    351 B
     1.8kB
     5
    4

    HTTP Request

    GET http://pki.goog/gsr1/gsr1.crt

    HTTP Response

    200
  • 104.26.14.2:443
    https://vntool.vn/apiv4r11/current_time
    tls, http
    UnlockTool-2024-09-01-0.exe
    961 B
     5.9kB
     10
    11

    HTTP Request

    GET https://vntool.vn/apiv4r11/current_time

    HTTP Response

    301
  • 104.26.14.2:443
    https://vntool.vn/apiv4r11/current_time/
    tls, http
    UnlockTool-2024-09-01-0.exe
    961 B
     5.9kB
     10
    11

    HTTP Request

    GET https://vntool.vn/apiv4r11/current_time/

    HTTP Response

    200
  • 8.8.8.8:53
    vntool.vn
    dns
    UnlockTool-2024-09-01-0.exe
    55 B
     103 B
     1
    1

    DNS Request

    vntool.vn

    DNS Response

    104.26.14.2
    172.67.75.226
    104.26.15.2

  • 8.8.8.8:53
    pki.goog
    dns
    UnlockTool-2024-09-01-0.exe
    54 B
     70 B
     1
    1

    DNS Request

    pki.goog

    DNS Response

    216.239.32.29

  • 8.8.8.8:53
    www.microsoft.com
    dns
    UnlockTool-2024-09-01-0.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    92.123.241.137

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UnlockTool\Drivers\pwndfu\x86\libusb0.dll
    Filesize

    45KB

    MD5

    1a534450750eca1f3d951def8d9965bf

    SHA1

    7dd82b6d52a840c4979a7515fc7a9ca3725363c4

    SHA256

    5e84d13636fbce7869cddc8b20c7d83fa0063e98c319e8e5ab751edc9ee1da76

    SHA512

    3acdfff24a4d9ebb4e9647afccf95f33b4580980fb35a91eff65a01ce470b0bbc1a3a27c476653911f1fa431757ca64c945da89da54bffa599744f29123ef715

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8368.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • memory/2932-46-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-9-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-11-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-10-0x00000000772B0000-0x00000000772B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-13-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-15-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-16-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-18-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-20-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-23-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-25-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-51-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-50-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-38-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-40-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-41-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-43-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-45-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-7-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-48-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-53-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-55-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-56-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-58-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-59-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-62-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-64-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-63-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-61-0x00000000772B0000-0x00000000772B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-66-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-88-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-90-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-116-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-117-0x00000000772B0000-0x00000000772B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-138-0x00000000772AF000-0x00000000772B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-180-0x000000001A600000-0x000000001A601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-5-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-4-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-2-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-526-0x000000001A600000-0x000000001A601000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.