Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 00:54 UTC

General

  • Target

    小刘CF最新自蔚刷枪软件.exe

  • Size

    1004KB

  • MD5

    4b5b0c130a18ed2de236d5bf28f54a35

  • SHA1

    b4df6a5eef56d5e1b46e60af1b4367b0e258589d

  • SHA256

    6d7278ca62699a346eb51a7673e9caa258cd52f8c6505b1c6af7cee6f4fe47a7

  • SHA512

    9e9a7540db6c17d92f2dd200b1dc99d4e636d13e9a7c54fb0895ebd25dfd53f77fb2d2f5d74be9199fe1599cb18e2af3aa5610818d4c959510d2203a1ee8c0b0

  • SSDEEP

    12288:Tra/Egk3mJKigWuk1N32CEWl2R5nWFpPoShkynMTjXI62:T/gemcigWu2NGCEWltbXkzzI62

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\小刘CF最新自蔚刷枪软件.exe
    "C:\Users\Admin\AppData\Local\Temp\小刘CF最新自蔚刷枪软件.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    PID:836

Network

  • flag-us
    DNS
    iframe.ip138.com
    小刘CF最新自蔚刷枪软件.exe
    Remote address:
    8.8.8.8:53
    Request
    iframe.ip138.com
    IN A
    Response
    iframe.ip138.com
    IN CNAME
    waf.ip138.com
    waf.ip138.com
    IN A
    59.57.13.133
    waf.ip138.com
    IN A
    59.57.13.182
    waf.ip138.com
    IN A
    59.57.14.11
    waf.ip138.com
    IN A
    110.81.155.137
    waf.ip138.com
    IN A
    110.81.155.138
  • 59.57.13.133:80
    iframe.ip138.com
    小刘CF最新自蔚刷枪软件.exe
    152 B
    3
  • 59.57.13.182:80
    iframe.ip138.com
    小刘CF最新自蔚刷枪软件.exe
    152 B
    3
  • 59.57.14.11:80
    iframe.ip138.com
    小刘CF最新自蔚刷枪软件.exe
    152 B
    3
  • 8.8.8.8:53
    iframe.ip138.com
    dns
    小刘CF最新自蔚刷枪软件.exe
    62 B
    160 B
    1
    1

    DNS Request

    iframe.ip138.com

    DNS Response

    59.57.13.133
    59.57.13.182
    59.57.14.11
    110.81.155.137
    110.81.155.138

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ESPI11.dll

    Filesize

    120KB

    MD5

    b4c2caaa15d4e505ad2858ab15eafb58

    SHA1

    a1c30a4d016f1c6bd3bf50e36767af8af166d59b

    SHA256

    93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

    SHA512

    09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

  • \Users\Admin\AppData\Local\Temp\jedata.dll

    Filesize

    86KB

    MD5

    114054313070472cd1a6d7d28f7c5002

    SHA1

    9a044986e6101df1a126035da7326a50c3fe9a23

    SHA256

    e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

    SHA512

    a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

  • memory/836-6-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/836-10-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/836-9-0x0000000010009000-0x000000001000A000-memory.dmp

    Filesize

    4KB

  • memory/836-14-0x00000000023F0000-0x0000000002411000-memory.dmp

    Filesize

    132KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.