Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7MegaHackIn...r8.zip
windows7-x64
1MegaHackIn...r8.zip
windows10-2004-x64
1MegaHackIn...LA.txt
windows7-x64
1MegaHackIn...LA.txt
windows10-2004-x64
1MegaHackIn...LP.txt
windows7-x64
1MegaHackIn...LP.txt
windows10-2004-x64
1MegaHackIn...64.txt
windows7-x64
1MegaHackIn...64.txt
windows10-2004-x64
1MegaHackIn...rs.txt
windows7-x64
1MegaHackIn...rs.txt
windows10-2004-x64
1MegaHackIn...sh.txt
windows7-x64
1MegaHackIn...sh.txt
windows10-2004-x64
1MegaHackIn....h.txt
windows7-x64
1MegaHackIn....h.txt
windows10-2004-x64
1MegaHackIn...ew.txt
windows7-x64
1MegaHackIn...ew.txt
windows10-2004-x64
1MegaHackIn...on.txt
windows7-x64
1MegaHackIn...on.txt
windows10-2004-x64
1MegaHackIn...ok.txt
windows7-x64
1MegaHackIn...ok.txt
windows10-2004-x64
1MegaHackIn...sl.txt
windows7-x64
1MegaHackIn...sl.txt
windows10-2004-x64
1MegaHackIn...qt.txt
windows7-x64
1MegaHackIn...qt.txt
windows10-2004-x64
1MegaHackIn...ty.txt
windows7-x64
1MegaHackIn...ty.txt
windows10-2004-x64
1MegaHackIn..._ar.qm
windows7-x64
3MegaHackIn..._ar.qm
windows10-2004-x64
3MegaHackIn..._bg.qm
windows7-x64
3MegaHackIn..._bg.qm
windows10-2004-x64
3MegaHackIn..._ca.qm
windows7-x64
3MegaHackIn..._ca.qm
windows10-2004-x64
3Resubmissions
20/06/2024, 03:53
240620-efl89a1hmp 7Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:53
Behavioral task
behavioral1
Sample
MegaHackInstaller8.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MegaHackInstaller8.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
MegaHackInstaller/______EULA.txt
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
MegaHackInstaller/______EULA.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
MegaHackInstaller/______INSTALL HELP.txt
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
MegaHackInstaller/______INSTALL HELP.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
MegaHackInstaller/licenses/base64.txt
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
MegaHackInstaller/licenses/base64.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
MegaHackInstaller/licenses/detours.txt
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MegaHackInstaller/licenses/detours.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
MegaHackInstaller/licenses/fontstash.txt
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
MegaHackInstaller/licenses/fontstash.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
MegaHackInstaller/licenses/gd.h.txt
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
MegaHackInstaller/licenses/gd.h.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MegaHackInstaller/licenses/glew.txt
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
MegaHackInstaller/licenses/glew.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
MegaHackInstaller/licenses/json.txt
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
MegaHackInstaller/licenses/json.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
MegaHackInstaller/licenses/minhook.txt
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
MegaHackInstaller/licenses/minhook.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
MegaHackInstaller/licenses/openssl.txt
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MegaHackInstaller/licenses/openssl.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
MegaHackInstaller/licenses/qt.txt
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
MegaHackInstaller/licenses/qt.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
MegaHackInstaller/licenses/qt_3rd_party.txt
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
MegaHackInstaller/licenses/qt_3rd_party.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
MegaHackInstaller/translations/qt_ar.qm
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
MegaHackInstaller/translations/qt_ar.qm
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
MegaHackInstaller/translations/qt_bg.qm
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
MegaHackInstaller/translations/qt_bg.qm
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
MegaHackInstaller/translations/qt_ca.qm
Resource
win7-20240419-en
Behavioral task
behavioral32
Sample
MegaHackInstaller/translations/qt_ca.qm
Resource
win10v2004-20240611-en
General
-
Target
MegaHackInstaller/translations/qt_ar.qm
-
Size
156KB
-
MD5
257bce0d43476ff6548f7d9d2c3a5809
-
SHA1
3d7b581860c381fc5644f739850f4c126f27838d
-
SHA256
c14ebfaa0fecb341b43ed2179df9372d27ad20a15bafb9f5403d57838ae1d88a
-
SHA512
051c71e4d105b082d169c5b57d2b6cfc093d174a649a0b4d42fd226b808c9fedb51a8ced6d5cb5db7f4fcce29419ec068d473b7ff7b8e15b9f8a82d32b73be00
-
SSDEEP
1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzLKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf16btw3Bb
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.qm rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.qm\ = "qm_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\qm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2920 wrote to memory of 1916 2920 cmd.exe 29 PID 2920 wrote to memory of 1916 2920 cmd.exe 29 PID 2920 wrote to memory of 1916 2920 cmd.exe 29 PID 1916 wrote to memory of 2704 1916 rundll32.exe 30 PID 1916 wrote to memory of 2704 1916 rundll32.exe 30 PID 1916 wrote to memory of 2704 1916 rundll32.exe 30 PID 1916 wrote to memory of 2704 1916 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MegaHackInstaller\translations\qt_ar.qm1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MegaHackInstaller\translations\qt_ar.qm2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MegaHackInstaller\translations\qt_ar.qm"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b86132fca9d5caf57ad4397ccacfd2e5
SHA1ddc57d7484738a07b409c6d6b950012ad33e9db1
SHA25689f083dd9c1f32d55954d070d555db3cf4f7e2bff3c37e9c07d90596118a9dc2
SHA5120974e6a2c7495a9c1a9f309c009905bbcbc71f31cfdc97e90d9ed533ce0bbdc9e0062024b6c6e8683d724494fb5e466f11bace0b0ed424a504851329081c720f