Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Everything...up.exe

windows7-x64

7

Everything...up.exe

windows10-2004-x64

4

$PLUGINSDI...ng.exe

windows7-x64

6

$PLUGINSDI...ng.exe

windows10-2004-x64

6

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    316s
  • max time network
    316s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Everything-1.4.1.1024.x64-Setup.exe

  • Size

    1.8MB

  • MD5

    5036e609163e98f3ac06d5e82b677df8

  • SHA1

    176db10a4cda7104f24eece2d87e1a664b7fb929

  • SHA256

    b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

  • SHA512

    40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

  • SSDEEP

    49152:W45XjhjuyXlt4+3oNBGsCornEsYwmve86irCrHEOP:W45XtjLVt4tJ/pmNHerv

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 15 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Everything.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1049 -save-install-options 0"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Program Files\Everything\Everything.exe
        "C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1049 -save-install-options 0
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:1428
    • C:\Program Files\Everything\Everything.exe
      "C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1049
      2⤵
      • Executes dropped EXE
      PID:1160
    • C:\Program Files\Everything\Everything.exe
      "C:\Program Files\Everything\Everything.exe"
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2136
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Everything\Everything.ini
      Filesize

      215B

      MD5

      2dd1085be0d738b72396100119ef4f4f

      SHA1

      9a2a15f7376bc2f2d3e781cb02d42c192c691925

      SHA256

      4da456f41f0278330f77edadea352c93c812fb526595edbf6396a97b76acf9bd

      SHA512

      21a22c302bbd1d0b0af9aabdcfe4e62d8edc53c54a644c11ef40ba926d84a0092e9b4841938f0496065ec04a1ad540dca31d8fe259d9ca62dabf4197b1fb4c0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Changes.txt
      Filesize

      18KB

      MD5

      1ebb92ac516db5077a0c851565b7a2cf

      SHA1

      9adabfbb11b070169429fd43a250285ee8881213

      SHA256

      e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6

      SHA512

      3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Everything.lng
      Filesize

      912KB

      MD5

      ba118bdf7118802beea188727b155d5f

      SHA1

      20fe923ec91d13f03bdb171df2fe54772f86ebba

      SHA256

      270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

      SHA512

      01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\License.txt
      Filesize

      1KB

      MD5

      abbfbbbac230890bf020d1b8e84abc65

      SHA1

      1a74d225069fd609323c886f2d4a8d8d4195193e

      SHA256

      4aa1c7dc0a47a92e7da99235ef88b04039b91b2e8ebf446507a445aa08e4518a

      SHA512

      1fe7a7bedeecfed39ce70d61ef91c58da0404ad04855e9ca3c623689f4f66892efb8d8742e920117093b67f3bbfce84e43b3faa58f5ebf66937ebb9d713f2ce3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Uninstall.exe
      Filesize

      136KB

      MD5

      9619f283a8809f06d9f25818df792798

      SHA1

      c959694843937043b09da5189d50553aa6c24a6e

      SHA256

      f5e05a0afc32604d961f2c1b8e500d33018718c3a1d47cbc3f4a98fe0d0e9ca8

      SHA512

      cd84eb50fc8ad582e5b60f1fed3174564ef356673f6dbc71e14a8f07baa7efa28ec434aaa9594460364a15c006fa4c56ce27d58d687dcc765fe07d5caaa3b73e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.ini
      Filesize

      1KB

      MD5

      8fbc3c8352390f630ec9e28ed5dab230

      SHA1

      528e4140ece34aed86012fd376562c0a8383ff42

      SHA256

      5d7b89ed6d4c19425857fb6f9ed3c779683e799b664cab786285bc2d9681d427

      SHA512

      14f73391f1ae33cc4c7790aae25da929ac437db4550953781a1a8fe89fb896292e056fdab887983c9be08c18fc8c4780c7e95342f57b9cecdad8c5062b5c2866

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.ini
      Filesize

      1KB

      MD5

      a1d5efb0e239432ccfa940e7bff51e34

      SHA1

      c09af0d1a490915adc75de451c40125e8fd4b7dd

      SHA256

      4a73d02e2b89cc40f6c63ae41f6d82df18b455aab31365182a560fca0d7861f5

      SHA512

      2f733058a567ec73aa0b30d21d3001624f7e784929b6cc4994c2843bcb89e2586686891b1cd815957ec7ab5fdf05613e1c8c114dd003100b2dfef179897d69d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.ini
      Filesize

      1KB

      MD5

      e2808f4be298a32ae279ee9ebacd0a0c

      SHA1

      b7929c346ba7a7aa690a766e4f70bc1d44f75460

      SHA256

      99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

      SHA512

      a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.ini
      Filesize

      1KB

      MD5

      002e3644a173f11a9a89e0aa5e29849d

      SHA1

      d2d0cee8bcddb379f1997492c063518ae7c3406d

      SHA256

      29b9361b36fcf77868cbb609d983f781c0bd2c29aac38de1b7efac642951a8b8

      SHA512

      94638d48540b7ef82dbf9daffde8203a7c44a42c7d9ec0f5875291c1ba6e6df6fa8c759e69730d145ce1a245f64f7118c4f96b0e4e4f7b6ddf7987653f4e06ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.ini
      Filesize

      1KB

      MD5

      133992c2b245c9deb42e6288dc9c197d

      SHA1

      927a466c7ee6a878a00970c892958d2e530bb1f4

      SHA256

      bf823d3dae0951fb404375eecea90a66a77c301fb404684c34b9b5e1c018fbe2

      SHA512

      585270cf8a50fd7141f1fab1fa62b3a23294dafc917ec71885812fd5cddd084ac4df6b90f2d93b56430d22c4fc15a0692d30f142ba0965da9798da5dc6ca8476

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions2.ini
      Filesize

      2KB

      MD5

      a6634dd375de49a06ff7c8c65f03bb42

      SHA1

      2834f907bb17d0916cfd1285718695f866e319d6

      SHA256

      caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d

      SHA512

      c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions2.ini
      Filesize

      2KB

      MD5

      8bd0fae8e68300fe6be78ffffd33cefe

      SHA1

      63f305c2b1afecdd573b7190e3122b4196f2e254

      SHA256

      7ded6a703c272daad0bae9a86fbffbf404cd0a8f047f2e68e10d78868916ae30

      SHA512

      0206cdd3264c42c5b86cac23d934276b4cd5b23bc8bb78fb0002d4c4d3357ea9435dfea2946e1152ed2162470c84a1c15fa987305ba10127203fa708b9b92176

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions2.ini
      Filesize

      2KB

      MD5

      d99fb4800c3cfbef03fd40614f8ad8ed

      SHA1

      52b4a19533743347f27bfb387a5b395c428c39d8

      SHA256

      df5aef789e07443a455ecebc19481c5ab2976c90ef3c66fd8f5503d98f8f277d

      SHA512

      b66d2e116b1d0b3bec8fb6833a8d115465a2c70dc8448512eaaea52d9d5381a89607ad88b6ad8795602852ac9f60d0e9ffc50fffebb201995882ba6a7fee5593

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions2.ini
      Filesize

      2KB

      MD5

      02f2df28339d8c43c8c6e95470862e76

      SHA1

      eb6e6f8218201ec55d3a4fa99fc367d038033699

      SHA256

      2d8caf253d89e0acb951a15e9bdc27e1f4752ef489224dbbf6b7b07390f3e5b4

      SHA512

      73b4253295b679d3a8421b37423b34c5985832bca2122ca163fd44a3923494cbdd5c0acb871425279d2fff7e354eac85c28ccd558643349d9620c40afe9cd79b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\ioSpecial.ini
      Filesize

      1KB

      MD5

      0b621c26405c88c92d44d2b5a591ebb1

      SHA1

      46873cc53435ec0f54b507f2da3edd3bd144a817

      SHA256

      1e40d81ea7f38c6ded3c5ee91e1387961d2d2ce968ca0937111f572d34309c19

      SHA512

      bd871a2a5ff5545fc48204b3823ce291e7c44ede4c9ec123fd10ba474f34964e45b1b2916b1a4c16ad3b5f5db8cb915fffc42ed44d27af33bf789631e279b23a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi1518.tmp\ioSpecial.ini
      Filesize

      1KB

      MD5

      7b34a3eeeca6bee911838e434c1a18e9

      SHA1

      0b3ee32a3c25891a4f2e8a804bbfdf9ab1db8449

      SHA256

      9d3e084b088972ff458b2d34f23290f8cbb26d2ea26930bee0d89f85bb263212

      SHA512

      659d380a29d11643fbd5e91cc144464474cbcfc3645d2c161862a9a9aff26240536ce6710cd423227027dd6bb6657e46bb99a07032a7b7b4605f5f33d56fff06

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Everything\Everything.ini
      Filesize

      20KB

      MD5

      f59c16523f4cae5af82c8d334721933d

      SHA1

      153e722987d3c2ab248924ac38dee7e8545b88b0

      SHA256

      48a97940b0f1f730e71c6fbd1b51d840e9032c75020cfa2cf7e6ab2bec9e70fe

      SHA512

      665251300c824d8043a4a6aa3ddd7702764b4b22ae07e83f5e392756ea23d4cdfffe7540b7a05127845fdaa43ef980417df25502f2fc4cce93a83cef7a354be7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi1518.tmp\Everything\Everything.exe
      Filesize

      2.2MB

      MD5

      0170601e27117e9639851a969240b959

      SHA1

      7a4aee1910b84c6715c465277229740dfc73fa39

      SHA256

      35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

      SHA512

      3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi1518.tmp\InstallOptions.dll
      Filesize

      15KB

      MD5

      ece25721125d55aa26cdfe019c871476

      SHA1

      b87685ae482553823bf95e73e790de48dc0c11ba

      SHA256

      c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

      SHA512

      4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi1518.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      68b287f4067ba013e34a1339afdb1ea8

      SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

      SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

      SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi1518.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit