Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7PowerISO-7....5.exe
windows7-x64
7PowerISO-7....5.exe
windows10-2004-x64
7$PLUGINSDIR/Aero.dll
windows7-x64
7$PLUGINSDIR/Aero.dll
windows10-2004-x64
7$PLUGINSDI...RL.dll
windows7-x64
3$PLUGINSDI...RL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/Powe...eg.exe
windows7-x64
7$TEMP/Powe...eg.exe
windows10-2004-x64
7$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...gp.dll
windows7-x64
3$PLUGINSDI...gp.dll
windows10-2004-x64
3$R0.exe
windows7-x64
1$R0.exe
windows10-2004-x64
1devcon.exe
windows7-x64
1devcon.exe
windows10-2004-x64
1piso.exe
windows7-x64
1piso.exe
windows10-2004-x64
1setup64.exe
windows7-x64
1setup64.exe
windows10-2004-x64
1$TEMP/temp/packeg.exe
windows7-x64
1$TEMP/temp/packeg.exe
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 20:31
Behavioral task
behavioral1
Sample
PowerISO-7.5/PowerISO-7.5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PowerISO-7.5/PowerISO-7.5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Aero.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Aero.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$TEMP/PowerISO/packeg.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/PowerISO/packeg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/qzoxzhphgp.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/qzoxzhphgp.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
$R0.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
$R0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
devcon.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
devcon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
piso.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
piso.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
setup64.exe
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
setup64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
$TEMP/temp/packeg.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
$TEMP/temp/packeg.exe
Resource
win10v2004-20240508-en
General
-
Target
$TEMP/PowerISO/packeg.exe
-
Size
5.0MB
-
MD5
725c335d5fd5305e5b5db2c84cf90abd
-
SHA1
36daa31b318051f5cf8b9038e46e977cd18af57e
-
SHA256
5e9274f4940ab3a90f48715c82149ab209ed4b585347c9a91fbe23534834e268
-
SHA512
f4962fcd3481380fca17f0cc7483f7dabc5c06488bd30acc836c8312e30c1a5195ddd98c00a5a132affc20d17575ec43b83e802f80d025b3891f67e5eb82ea53
-
SSDEEP
98304:gEjZ7eMAM5Aw3ZQtpy6GV5T6nn3F6xnCXWM1VCRTovs1xiKpp0qfcu8:LkVAAFsV5T63FC6VUovw1pCqfcf
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\0E579412.log packeg.exe -
Loads dropped DLL 4 IoCs
pid Process 2492 packeg.exe 2492 packeg.exe 2492 packeg.exe 2492 packeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 packeg.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 packeg.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS packeg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2492 packeg.exe 2492 packeg.exe 2492 packeg.exe 2492 packeg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2492 packeg.exe Token: SeCreatePagefilePrivilege 2492 packeg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2492 packeg.exe 2492 packeg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\PowerISO\packeg.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\PowerISO\packeg.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
6KB
MD59b27e2a266fe15a3aabfe635c29e8923
SHA1403afe68c7ee99698c0e8873ce1cd424b503c4c8
SHA256166aa42bc5216c5791388847ae114ec0671a0d97b9952d14f29419b8be3fb23f
SHA5124b07c11db91ce5750d81959c7b2c278ed41bb64c1d1aa29da87344c5177b8eb82d7d710b426f401b069fd05062395655d985ca031489544cdf9b72fe533afa61
-
Filesize
10KB
MD557ca1a2085d82f0574e3ef740b9a5ead
SHA12974f4bf37231205a256f2648189a461e74869c0
SHA256476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA5122d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c
-
Filesize
144KB
MD5889e8fe8a034acb4d4a33349e34907a9
SHA1e439458df040ec14002c67f0a863bb714a6241aa
SHA256d9b253e80eca58d3e2c5882359b5aa3257bd0b4bec5d02a7874004466ef77c57
SHA512a604e3f8c385af9b2f29e82fa411b220a71bc234521d1194de1a2a09cca567f31c33c887a1f69ffb33fb2db91519a99e84ef064d507af16646db6919dd712d94
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
1002KB
MD54bb0f84995346c5f73a3dfbd8d8cf26b
SHA117c011f920bd74c37c86488832fd95270429478b
SHA2565f9e2a5ef08cd02bcac2d2045f7b149b11f4daed2a253bbcc38cdfe8b1850600
SHA512bf9e042405df6af8eb54c78ee8fd0ac00b997171bf0a88ffb36588d2f9247667b9c03a73fc97b7e58e3ed8cf5c37e0fbe4f2033c1ebe78b91121c92adecf1369