Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b622013c43...dd.exe

windows7-x64

7

b622013c43...dd.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

1

$PLUGINSDI...ll.dll

windows10-2004-x64

1

$PLUGINSDI...cs.exe

windows7-x64

1

$PLUGINSDI...cs.exe

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

ADManage.dll

windows7-x64

1

ADManage.dll

windows10-2004-x64

8

BugReporter.exe

windows7-x64

1

BugReporter.exe

windows10-2004-x64

1

InstAsm.exe

windows7-x64

1

InstAsm.exe

windows10-2004-x64

1

LiveInstHlp.dll

windows7-x64

3

LiveInstHlp.dll

windows10-2004-x64

3

OcxHelper.exe

windows7-x64

1

OcxHelper.exe

windows10-2004-x64

1

PinItem.vbs

windows7-x64

1

PinItem.vbs

windows10-2004-x64

1

QQLive.exe

windows7-x64

1

QQLive.exe

windows10-2004-x64

1

QQLiveBrowser.exe

windows7-x64

1

QQLiveBrowser.exe

windows10-2004-x64

1

QQLiveExternal.dll

windows7-x64

1

QQLiveExternal.dll

windows10-2004-x64

1

QQLiveService.exe

windows7-x64

1

QQLiveService.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b622013c43ce8d926d5adad74ba9364c37d31b8343510e36dc5d43962b6e92dd.exe

  • Size

    4.8MB

  • MD5

    a35512a9f32638b946315b98fbb2bae8

  • SHA1

    5e63dcf72a6a6ef62b6cc6a154019b4ce8931724

  • SHA256

    b622013c43ce8d926d5adad74ba9364c37d31b8343510e36dc5d43962b6e92dd

  • SHA512

    a3ebf1626de001c8bedc514ee9278484008ed43329be7087707b8ad525f2019ab4143cc5eaf35ab636cc5a573f26059206a48cd5565220b7a098f803c64b7cd7

  • SSDEEP

    98304:HbGOC/hCLjrg5bDuobo/ozBmz9+77Ez6d/dWH25TR+YEinJ5rJUgZX8Q97:HCO2hCLj4fo/oVk+szaVv+YEqJ5rJD8k

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b622013c43ce8d926d5adad74ba9364c37d31b8343510e36dc5d43962b6e92dd.exe
    "C:\Users\Admin\AppData\Local\Temp\b622013c43ce8d926d5adad74ba9364c37d31b8343510e36dc5d43962b6e92dd.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\nsi7FE.tmp\Statistics.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi7FE.tmp\Statistics.exe" cmd=2567&ctype=1&itype=11&ver=9.16.1659.0&str1=18655BB248C486E85030B75B3FC8DC1D&str2=channel1&vid=&url=b622013c43ce8d926d5adad74ba9364c37d31b8343510e36dc5d43962b6e92dd.exe
      2⤵
      • Executes dropped EXE
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsi7FE.tmp\Statistics.exe
    Filesize

    308KB

    MD5

    6b9d2f2e83954add7ec0afc8cb47e00f

    SHA1

    b78ccebb951984ec748ebbf79cba773f7b961e51

    SHA256

    bfcadb38828816781102a5b5096c9c3c06449e740af994a8c02da18b0c581eeb

    SHA512

    82c95e2e744d6445b060a4be93192bcf42138eae755ee754204300fbbad93632ddc4672ad1fd290eec3a623792280270d07f32704d06040260bc827decab8ea5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsi7FE.tmp\pic\shadow_active.png
    Filesize

    4KB

    MD5

    c3cddafea6c6fa8dd2f23f9a6e18dd98

    SHA1

    d50fca37045eaa24f87fe295b78b3269e12f7f67

    SHA256

    c1be0784d3a780ccaf5ddb89ec657cac39b14b37c617d843f9e666793e4d8b41

    SHA512

    c44c3d45eb6b59bac77e93e73ccf3b69edf1a51c07ad987d2a1ea6f4c0a3d4395325f905a2f4ff5906143be7b94ed8acf2c45afeffb39710f9d35edffdf5e1d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi7FE.tmp\InstallHelper.dll
    Filesize

    312KB

    MD5

    e13a38e0bf5ec7e8a95b3d2debd170d6

    SHA1

    6ee4305ccd42970acad7f00bb9aafd0b4be246be

    SHA256

    00afe265d9bc6af1eee8853d64234ac8e2aa42ad1169a4e8bd39e9a1b75c1cfa

    SHA512

    bf0a638617a5aaf31cc790adf6c0dad37156d450b92c3a3480bcbb7e682633f7e8de30c4ca5732a6fd023112cdfa106ec920127a50e335473ad4d80a2de8947c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi7FE.tmp\ProcDll.dll
    Filesize

    1.4MB

    MD5

    782946212ed94c1e891f31592c65fffc

    SHA1

    c05d47da2f576da8c9d4b2d08e6eb7eb59567c02

    SHA256

    6320db35a424767ed778e27339d8bbeaea839beeb3612142a281111e431d004f

    SHA512

    b7006fbb4de0a98c616db0c999a0dc8bbc2749bc00fa4aa8b4790fa0c7de405c9efae4adfd887c4001bf14673d4b9b8ae04962ec97bc6c0190c48e89a6746553

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi7FE.tmp\System.dll
    Filesize

    18KB

    MD5

    92fc9e50e8511609257cb59f633f13d6

    SHA1

    f95f0df12deb5dc4b281732d983bb2c103c17b56

    SHA256

    953ba87a30cbe067408e75bba9fe750c0e60270607aba1ec953bd730c337fe3b

    SHA512

    fe4a4d3e6ba6ae0bb2194f7667443dd5be591ef2e9b1f792d80d7ed3ad1685858dbb856548f01d5a73e80cd9cdb144f24f4d517f8f91b2eb376606c325041093

    Download Submit

  • memory/2364-10-0x0000000002760000-0x00000000028CB000-memory.dmp

    Filesize

    1.4MB

    Download