Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3Consolex.exe
windows7-x64
1Consolex.exe
windows10-2004-x64
1Plugs/TOPI...eU.dll
windows7-x64
1Plugs/TOPI...eU.dll
windows10-2004-x64
1Styles/Office2007.dll
windows7-x64
1Styles/Office2007.dll
windows10-2004-x64
1TbMate.exe
windows7-x64
1TbMate.exe
windows10-2004-x64
1apsystem.dll
windows7-x64
1apsystem.dll
windows10-2004-x64
1fluorinepp.dll
windows7-x64
3fluorinepp.dll
windows10-2004-x64
3gtJpeg.dll
windows7-x64
1gtJpeg.dll
windows10-2004-x64
1help.html
windows7-x64
1help.html
windows10-2004-x64
1msi.dll
windows7-x64
1msi.dll
windows10-2004-x64
1xEngine.exe
windows7-x64
1xEngine.exe
windows10-2004-x64
1xWeb.dll
windows7-x64
1xWeb.dll
windows10-2004-x64
1新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 19:40
Static task
static1
Behavioral task
behavioral1
Sample
Consolex.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Consolex.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Plugs/TOPInterfaceU.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
Plugs/TOPInterfaceU.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Styles/Office2007.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Styles/Office2007.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
TbMate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
TbMate.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
apsystem.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
apsystem.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
fluorinepp.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
fluorinepp.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
gtJpeg.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
gtJpeg.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
help.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
help.html
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
msi.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
msi.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
xEngine.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
xEngine.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
xWeb.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
xWeb.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
新云软件.url
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
新云软件.url
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
apsystem.dll
-
Size
108KB
-
MD5
da93b1b9f1b7e402ea75a55f45719fcc
-
SHA1
f628f88c88d739ff0512a2b6658898826ffaa950
-
SHA256
5bd77f47aecb96d1bbcd98cb3678289001d2b5eb503af9a732c6911716160452
-
SHA512
3cf0e82a97abd54341dddffa9f73f18a2cf89a83712eabed67f46723420e034607ea722bd0c35c9d7e2ab30d6940ad0e7f267d0d593fe0f0ec0ab4f212f1ad06
-
SSDEEP
1536:1FJ+DG+pqNIJF70ZAjR33i5pblxtCoeBBRKedzc:eoWD0ZOSp5xtCoeBjKczc
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo.1\CLSID\ = "{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26338E77-36A6-46FF-91CA-79E91079A81C}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\ = "SystemInfo Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\AppID = "{23FEFF2F-3507-4209-B5B6-3F55908C1F07}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\NumMethods\ = "8" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\NumMethods\ = "11" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.SystemInfo\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.SystemInfo\CurVer\ = "apsystem.SystemInfo.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\ = "ISystemInfo" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\NumMethods\ = "17" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.SystemInfo regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\TypeLib\ = "{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26338E77-36A6-46FF-91CA-79E91079A81C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\ProxyStubClsid32\ = "{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26338E77-36A6-46FF-91CA-79E91079A81C}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{946290E2-B2A0-4D03-8AD7-169C2E34AAA5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\ = "ISystemInfo" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo\CurVer\ = "apsystem.OSVersionInfo.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\VersionIndependentProgID\ = "apsystem.OSVersionInfo" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apsystem.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.Shell.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apsystem.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.Shell\CurVer\ = "apsystem.Shell.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.SystemInfo.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EFB7ECF-642B-41D4-A359-ECE19BA169F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.OSVersionInfo\ = "OSVersionInfo Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26338E77-36A6-46FF-91CA-79E91079A81C}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\TypeLib\ = "{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\ProgID\ = "apsystem.OSVersionInfo.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\apsystem.Shell\ = "Shell Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26338E77-36A6-46FF-91CA-79E91079A81C}\AppID = "{23FEFF2F-3507-4209-B5B6-3F55908C1F07}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\TypeLib\ = "{946290E2-B2A0-4D03-8AD7-169C2E34AAA5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{23FEFF2F-3507-4209-B5B6-3F55908C1F07} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB4F6BF-166E-4946-B397-2C16CFB6F71A}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF434E40-5ED4-4E0F-9E98-93D7E3A41289}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95E0EEF0-53BA-4142-B24A-B1DC0BB3CB88}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2C83BEF-A58B-4777-BB95-F053F30BB461}\ = "IShell" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28 PID 2204 wrote to memory of 1800 2204 regsvr32.exe 28