Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

Plex-1.88....64.exe

windows7-x64

3

Plex-1.88....64.exe

windows10-2004-x64

5

web-client...A.json

windows7-x64

3

web-client...A.json

windows10-2004-x64

3

web-client...r.json

windows7-x64

3

web-client...r.json

windows10-2004-x64

3

web-client...e.json

windows7-x64

3

web-client...e.json

windows10-2004-x64

3

web-client...r.json

windows7-x64

3

web-client...r.json

windows10-2004-x64

3

web-client...u.json

windows7-x64

3

web-client...u.json

windows10-2004-x64

3

web-client...s.json

windows7-x64

3

web-client...s.json

windows10-2004-x64

3

web-client...t.json

windows7-x64

3

web-client...t.json

windows10-2004-x64

3

web-client...a.json

windows7-x64

3

web-client...a.json

windows10-2004-x64

3

web-client...o.json

windows7-x64

3

web-client...o.json

windows10-2004-x64

3

web-client...t.json

windows7-x64

3

web-client...t.json

windows10-2004-x64

3

web-client...y.json

windows7-x64

3

web-client...y.json

windows10-2004-x64

3

web-client...l.json

windows7-x64

3

web-client...l.json

windows10-2004-x64

3

web-client...o.json

windows7-x64

3

web-client...o.json

windows10-2004-x64

3

web-client...l.json

windows7-x64

3

web-client...l.json

windows10-2004-x64

3

web-client...R.json

windows7-x64

3

web-client...R.json

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Plex-1.88.1.96-c1c59fc1-x86_64.exe

  • Size

    177.5MB

  • MD5

    8d9e10e53dd1f3debca287124be7c262

  • SHA1

    840b298d54219611efd41177389526c115c909c9

  • SHA256

    0f697e9cca3455c8e54b7b049b4e9632115634615f38e43ddbeb781d978354db

  • SHA512

    6e69d4d105236d711b7a6d03c80b68b3bcad7aa2082ef85c30b9e5beb9917d8eeb94841a12cf1178637ce6d00a1fe8f46d34fc21f283a1ccabcd280f1206dda2

  • SSDEEP

    3145728:7UVuPbCpw3jGP1ppoA4VgL5yHv4v/KXqD/z4GEsskH3zL7B+Si9Ara5:gAPFjm1sJW4Hvy/US89yU

Score
5/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Plex-1.88.1.96-c1c59fc1-x86_64.exe
    "C:\Users\Admin\AppData\Local\Temp\Plex-1.88.1.96-c1c59fc1-x86_64.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Program Files\Plex\Plex\vc_redist.x64.exe
      "C:\Program Files\Plex\Plex\vc_redist.x64.exe" /install /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Windows\Temp\{EABFFCE6-402F-4EE9-8E90-5163235D300E}\.cr\vc_redist.x64.exe
        "C:\Windows\Temp\{EABFFCE6-402F-4EE9-8E90-5163235D300E}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Plex\Plex\vc_redist.x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=516 /install /quiet /norestart
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5012
    • C:\Program Files\Plex\Plex\windowsappruntimeinstall-1.2P1-x64.exe
      "C:\Program Files\Plex\Plex\windowsappruntimeinstall-1.2P1-x64.exe" -q
      2⤵
      • Executes dropped EXE
      PID:3184
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:3668
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3184
    • C:\Windows\system32\wwahost.exe
      "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Plex\Plex\resources\locale\es\LC_MESSAGES\plex.mo
      Filesize

      101KB

      MD5

      4664d116b1c2414820baf790cb14614b

      SHA1

      8ecac6fca03ad13dc0aed994d1cb992a33e016ac

      SHA256

      de1ccc753afff17488eb9652d4189046c10a7d2a3f3a0671d444abbc3e5b10fa

      SHA512

      c11ce3cecc737d64c02141c4d2645e5aa0501f6d6cd35fed2f1a2338d966f2558986519cd4e468726e8bd51caa00d31e0ce5d681d01c26f932e99186f37a0248

      Download Submit

    • C:\Program Files\Plex\Plex\vc_redist.x64.exe
      Filesize

      17.4MB

      MD5

      b89586e2eef641b71b8a978c4076158e

      SHA1

      297b0da7737acce8eab255fd659f020d547881f9

      SHA256

      f108f513b7f6034c863dd680f3d348903b39eb64d0799bf8a58610f7ceea84a0

      SHA512

      b418f528524a37838af071a97253f227617f9fb62a20e8d1fcc6cfbedebf70e00fe34bb8474ac36113db8b2919477cc19820e5abcc6f2ee048805040be2fec7e

      Download Submit

    • C:\Program Files\Plex\Plex\vc_redist.x64.exe
      Filesize

      17.7MB

      MD5

      7d4c8d26bd3c401957f5938710ce78e2

      SHA1

      843c8bcccc1a2df5d36caa23bf135d10dabf0caf

      SHA256

      2b204701383ce377bfd8626c83d6517bad5219a0e455171ab1978aa0b74cee72

      SHA512

      264587c274fb3887629d6c10ac326c6bc1b03890ed2b44b2ad3f806ce86ba57a9e9e2d788b47a78c127fbba5af348ddf2aa83edac6a659b652bf0f5a7e3cdcb8

      Download Submit

    • C:\Program Files\Plex\Plex\windowsappruntimeinstall-1.2P1-x64.exe
      Filesize

      4.3MB

      MD5

      9f40487411538e8b120b8f674e08548c

      SHA1

      440e2c075ba40eb579bcde25edf14a4cfb0bdf88

      SHA256

      d7205ab0ba2ba2315cef12ab1c05d2b87273c99d9742c5f4547d8bf29f36aeb8

      SHA512

      5601cb3c72cbe0741d7a81dd2d2673b3f11651a881176757ff9166f7ecca31be82a65541fcadc4a9ff4de8983606635e2dd8dde03fd6b9bcdad3d9a45a13300a

      Download Submit

    • C:\Program Files\Plex\Plex\windowsappruntimeinstall-1.2P1-x64.exe
      Filesize

      16.4MB

      MD5

      6d4b0e84fed8260eb84fbfd275715e26

      SHA1

      246c0d83a5920148aed0caf2e514b236d800d874

      SHA256

      336c387ed85b19bfa92b11c397e01c207e43c723b0a3cfc0a0cb3a3fc7c70f37

      SHA512

      269fd8c081aefa99830ffae32319d22c6f0b8e6f21603ca3a2545c0277839212b4a175f22a831f206625bb0c8f513b2d266577d6f27bfc8dc3a576b1f540ca50

      Download Submit

    • C:\Program Files\Plex\Plex\windowsappruntimeinstall-1.2P1-x64.exe
      Filesize

      12.8MB

      MD5

      291c9add477e9a838ae6255fa109069c

      SHA1

      b2c8a344252543a558c924975223d7817d5b74de

      SHA256

      1c97da9339e4aea5c8e09c66319fa54ecadba035ef774bea5d6bc393da57a70e

      SHA512

      2178bae2d8a088bcfc21665b0dcab1167e7250d82f79b65abfee7a39b95303de5c080d5ac79a6c1caf4ba6a1b6c127911a5db4187af0c856aa4d2b14128bbedb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\InstallOptions.dll
      Filesize

      14KB

      MD5

      8d5a5529462a9ba1ac068ee0502578c7

      SHA1

      875e651e302ce0bfc8893f341cf19171fee25ea5

      SHA256

      e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

      SHA512

      101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\StartMenu.dll
      Filesize

      7KB

      MD5

      c275bc6ee70d85aebc2328c06515a2a2

      SHA1

      0f12e4736eff8f1a1a4c467e2f52eba2dac4e7e6

      SHA256

      30336c7b09582de438d6c3f561f55366dd7094faf24f34e12df44acf19be9242

      SHA512

      aeff89ebf093555aeaaa15f86e519523266b08e814578540430b3f2b67c6ad92a8e0072716f8ab80e6afc9a160a7bbaab0800b372107613d78793a9fd0fb9240

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\UAC.dll
      Filesize

      14KB

      MD5

      4814167aa1c7ec892e84907094646faa

      SHA1

      a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee

      SHA256

      32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822

      SHA512

      fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\UserInfo.dll
      Filesize

      4KB

      MD5

      dada3e1836af78d5b24499da252d01e4

      SHA1

      d2a1c25405e3c74973cf18dec2c7138df9e96a83

      SHA256

      0073337816509851476c2cc154f471a3e3a1a2806b97c363870acc09a30a5ed7

      SHA512

      f8bda8413dadb00a644341da5e076f203a3134daaefd2961fa0341f5a533eee28582ce9872354ead698bb1275ee7726fa574267e909a3e2f977908392e7a5c66

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\ioSpecial.ini
      Filesize

      613B

      MD5

      086d635d9ad537bac1d493806b1dfeb3

      SHA1

      ef749840939aba59471e5d38583958ef30cb2a6d

      SHA256

      0013140db1f4cbe91450e6390d3299946dbd1e70db2c1fcd18432b3cb7361d55

      SHA512

      ba6d8ff470cccc92eea031e5d2f9d9ae55694c357fb186e58245c9c7a5434d4542c0e5e971b32e411724c485e6aaf9fdae907ac82c21dde659d43dad5b5c3c9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi739B.tmp\ioSpecial.ini
      Filesize

      659B

      MD5

      9dbff04281b8c461e2706e541ef5040b

      SHA1

      fdb8662406e56b96ab6933d25e67af8a0659160b

      SHA256

      2ed498072fef83fb01dfb3088880aaa5183e3ed1a61e725a6a842c68e7031053

      SHA512

      22505b427fe79258336346301e066076beddc3ba3bc193a671e8a1b7da5eeecd9f9301e5ce570c8b4d77dcf7c056c663beca568b2ef6f87613dffd34befb660d

      Download Submit

    • C:\Windows\Temp\{3709C088-6E86-4CD4-AD27-3A68F51E3A19}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{3709C088-6E86-4CD4-AD27-3A68F51E3A19}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{EABFFCE6-402F-4EE9-8E90-5163235D300E}\.cr\vc_redist.x64.exe
      Filesize

      634KB

      MD5

      cb264f7d256b42a54b2129b7a02c1ce3

      SHA1

      d71459e24185f70b0c8647758663b1116a898412

      SHA256

      d6aaee30c9b7edeac6939f78f4a55683c6358d9cc03dac487880d01f18700e83

      SHA512

      4f623f5d21bc216f3dd040e6d0c663a8ea37efe5d0ce5f4aeb1ef5c1f7c873e19d1abc979d3e40d4dc70e2e4f0fc9a1b114b17d9eb852ea9a41d0f84356cd7cb

      Download Submit

    • memory/3184-1199-0x000002269A530000-0x000002269A53E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3184-1200-0x000002269A9F0000-0x000002269A9FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3184-1201-0x00000226B4A80000-0x00000226B4A88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3184-1202-0x00007FFDE5080000-0x00007FFDE5B41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3184-1203-0x00000226B6000000-0x00000226B6249000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3184-1271-0x00007FFDE5080000-0x00007FFDE5B41000-memory.dmp

      Filesize

      10.8MB

      Download