Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4kvideodow...ne.exe

windows7-x64

6

4kvideodow...ne.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/05/2024, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4kvideodownloaderplus_1.4.3_x64_online.exe

  • Size

    912KB

  • MD5

    7d976b0df489feb93c55810c5912c266

  • SHA1

    8a0be0a217324ff559ec3c46a400af401f91dccf

  • SHA256

    bc4e220b7539888116beeb5b74bb51cff311d7e1eb859f92ca7f778d605031a1

  • SHA512

    859167c3c78812b3cf97629fdf34a2774ff5412baaa0f118898e5cfc9657fdbd510442d92898d9022dc5d6ae073bb488363d88187c772a56e9756e238b669213

  • SSDEEP

    24576:uNsfiTdYSuVzZH9tH1v1J3W3ZtxEVFxu5Bi5:eT2pZ1J3WpHEV4M

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 16 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.4.3_x64_online.exe
    "C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.4.3_x64_online.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\Temp\{D116567B-FDCA-4CC7-8879-34A3A102BC46}\.cr\4kvideodownloaderplus_1.4.3_x64_online.exe
      "C:\Windows\Temp\{D116567B-FDCA-4CC7-8879-34A3A102BC46}\.cr\4kvideodownloaderplus_1.4.3_x64_online.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.4.3_x64_online.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\Temp\{77D6DB75-5133-4925-BFAB-9231828EC3C5}\.be\4kvideodownloaderplus_1.4.3_x64_online.exe
        "C:\Windows\Temp\{77D6DB75-5133-4925-BFAB-9231828EC3C5}\.be\4kvideodownloaderplus_1.4.3_x64_online.exe" -q -burn.elevated BurnPipe.{3A7519DA-0572-4CF2-BA3F-D584C383CBFF} {A504C407-CF0A-46D4-95FD-421BE43E8B90} 2200
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2940
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "0000000000000334"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1496
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5A48599B6C405179124F320DD337DA0
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C7CF63D5CFEDADA8FCE9DBFC84B55152 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f7755a3.rbs
    Filesize

    124KB

    MD5

    f6eb0b3a7ea70be1d10647f5e50a98d6

    SHA1

    0254bb9c47fc0d9bab135b00fd32d1a3bb31bdf9

    SHA256

    4b2bd4fdfffb1be016ee229c69c0d01b5c89804234ebb82ffd1146923e4443e2

    SHA512

    4971b7bcc50d74b12e502f8222bb796bd8998f9d0aaf25c1d8de756c6bc808efdcefe4a93c99872cce476dfe50a16cddd003c1c52d27482440602ad3a619d830

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0a4cb840474a09394121173cfe093c57

    SHA1

    280f16d176d891bc6cf263543627a9757626a05e

    SHA256

    bda841472848c14315d81138327a9f06016c7be562b91628615251bc2bb60acf

    SHA512

    965cd6101099cd6305b59559c0342371a8e7525360bad8d9cad65183bdc5741babbc953737cede97454b72f7790316588cd7ff160dadf44899431d5d3bafc269

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4K_Video_Downloader+_20240502174845_001_application_msi.log
    Filesize

    2KB

    MD5

    c6614f9a0e91160440439cdf5812296e

    SHA1

    1237e65f787a636914f32cd48de9a6809c23e847

    SHA256

    5418d4f99f8101bbcac465fd558baedcde70753a351d4be359e9694949a44c0c

    SHA512

    9f46cd6033f44e9fb2fd54ad8606dd6027f0a80993348d353c22e15da3cc8f81f204065b849c1e090cd5683227350e361c1664def5c1ada3efa49dd634ca1d8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5A60.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5D34.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Windows\Installer\MSI72A6.tmp
    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

    Download Submit

  • C:\Windows\Temp\{77D6DB75-5133-4925-BFAB-9231828EC3C5}\.ba\logo.png
    Filesize

    4KB

    MD5

    20986fecad1c10339e192993e72bbc4e

    SHA1

    ca627fc0a6e96c2021da63e71d5d05d45b9894b9

    SHA256

    2fab77079c0e9e6bae57c3f783936243a6f43550d08cab690c09b4409d4ea669

    SHA512

    4cbe6c6cfef20a770e6cb9303ceddf1f0b53a5c1a8a26a9c769fe72735a36a9646f6937c6f8af26d42b0bf9860638af80cb201e6551d41fd2c813bbda39d5990

    Download Submit

  • \Windows\Temp\{77D6DB75-5133-4925-BFAB-9231828EC3C5}\.ba\wixstdba.dll
    Filesize

    184KB

    MD5

    fe7e0bd53f52e6630473c31299a49fdd

    SHA1

    f706f45768bfb95f4c96dfa0be36df57aa863898

    SHA256

    2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

    SHA512

    feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

    Download Submit

  • \Windows\Temp\{D116567B-FDCA-4CC7-8879-34A3A102BC46}\.cr\4kvideodownloaderplus_1.4.3_x64_online.exe
    Filesize

    912KB

    MD5

    7d976b0df489feb93c55810c5912c266

    SHA1

    8a0be0a217324ff559ec3c46a400af401f91dccf

    SHA256

    bc4e220b7539888116beeb5b74bb51cff311d7e1eb859f92ca7f778d605031a1

    SHA512

    859167c3c78812b3cf97629fdf34a2774ff5412baaa0f118898e5cfc9657fdbd510442d92898d9022dc5d6ae073bb488363d88187c772a56e9756e238b669213

    Download Submit