Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

633ae82d3d...7d.exe

windows7-x64

10

633ae82d3d...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 21:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe

  • Size

    204KB

  • MD5

    6110a0cbdc987136491a76bc64a5f9eb

  • SHA1

    a344c9a4074593b13df9f897b26404a75058e4af

  • SHA256

    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d

  • SHA512

    827cb748a078821bbf4bd40bab2a1b7377e0c180e59bc72e69ca068c26c07a88ac581eeb6657b6a9e818308b67fbc1d9e9e2f9dedb1aa41c24a569dfd9f014b7

  • SSDEEP

    3072:dmDW8E0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWwO:kyD4QxL7B9W0c1RCzR/fSmls

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    "C:\Users\Admin\AppData\Local\Temp\633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\zuoqo.exe
      "C:\Users\Admin\zuoqo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

  • flag-us
    DNS
    ns1.spansearcher.net
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spansearcher.net
    IN A
    Response
  • flag-us
    DNS
    ns1.spinsearcher.org
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.org
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    ns1.spansearcher.net
    dns
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    66 B
     139 B
     1
    1

    DNS Request

    ns1.spansearcher.net

  • 8.8.8.8:53
    ns1.spinsearcher.org
    dns
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    66 B
     148 B
     1
    1

    DNS Request

    ns1.spinsearcher.org

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    256 B
     256 B
     4
    4

    DNS Request

    ns1.player1352.net

    DNS Request

    ns1.player1352.net

    DNS Request

    ns1.player1352.net

    DNS Request

    ns1.player1352.net

  • 8.8.8.8:53
    ns1.player1352.org
    dns
    633ae82d3d1ef159d16cc8bb5fcf43b78d540a6911927807377874a5d4fa307d.exe
    64 B
     146 B
     1
    1

    DNS Request

    ns1.player1352.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\zuoqo.exe
    Filesize

    204KB

    MD5

    a73e81345c71a7f79ee66087bf599d2f

    SHA1

    1b4fd7397576b56afabb62c8f0918be37b227fb8

    SHA256

    ee36455c288d64e1787d91df0424bb403b165f44b0d01e0cd144292110a2ed6d

    SHA512

    5494c446ae8a66d302768ebd6f5783dc344518c353d778208b7acec6a41816561860ab6ad949712e0e45da11758adb96b4d9b5e3359db6e06e0fb8670bfc5e9f

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.