Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

676724453b...0d.exe

windows7-x64

7

676724453b...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe

  • Size

    4.8MB

  • MD5

    10c9464211d8fc212bfeeb972ed579d6

  • SHA1

    b095a0c0833d852a98ed554507ed24a4c9898e3f

  • SHA256

    676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d

  • SHA512

    b31c4534bfd66f52e11a85cd0eae9809a557459f45cfeff607fa90dec31e3680a6f33c6fd950ee3e23c8e21987874eb469e8e6526bf49f6932ff0af1615f36d3

  • SSDEEP

    98304:Ba5gyXi3zjeZhr19f7gHi/kZgc8hrEB3Ii8GnraqlwyWoQcXGcm3Xmm9rWIcYop1:Ba5gyS3zjeZhr19f7gHi/kZgc8hrEB3a

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe
    "C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\evb3341.tmp
      chushihua.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\ÐÅ¿¼³õʼ»¯¹¤¾ß\init.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\xinkao" /f /v "xk" /t REG_BINARY /d 01000000ad8967c6bdf588cad1ad05e31692dce185c0a0a741a1e9fd02bbfef8be39e0ef9459096d06269541893c8c4bf684b3139d0894517b68a9b784860939b5760e240ac2a53a7e8b90b7eb2c15ec08542d4e3eba6ae0fff3409c3803eb02faa043ea5164ecd9a3455bf6071e3508ae209ee5b97460b7cf33bff6acb20a9683f2941d
          4⤵
            PID:2536
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig
              5⤵
              • Gathers network information
              PID:1188
            • C:\Windows\SysWOW64\findstr.exe
              findstr /i "IPv4"
              5⤵
                PID:2648
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\Local Settings\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.0.198"
              4⤵
              • Modifies registry class
              PID:2676
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.0.198"
              4⤵
                PID:2556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ÐÅ¿¼³õʼ»¯¹¤¾ß\init.bat
          Filesize

          677B

          MD5

          9882bbfe52711ee196a7db25542db5f2

          SHA1

          c394bf81e8b864f870f9ebeb42fb31d09161e79e

          SHA256

          47f5adbc69839363178fed391b0695dc94720cd90976ec606380a62c205feaaf

          SHA512

          e5be4f44ec22ebd5698f31438afd7000a86caad2a3212f4a8912075b05cbb00c0124d9b37f629fa74f0f4b62d36da8059014f93072a7cc83320e9f7d97e0817b

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\evb3352.tmp
          Filesize

          1KB

          MD5

          ca736ac5b4501ec417bdff79c9dcbbff

          SHA1

          2ec046c794c95798d196079e8c5a0dbe38ff599e

          SHA256

          33e38330ad4ffc0804ac286ea9c72be875da0085f7a1344597d9f6bc4b8bead2

          SHA512

          5b658eff6fa687695abe5c6924f4738e7c5dbc294d1f7f2760284b007b4d0fb487a706610c0304b571af88872b1ff5b54bea8f4b76c944265a36eb10e1d811a3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\evb3341.tmp
          Filesize

          1KB

          MD5

          fc804f040bc43e008743afcb677baad5

          SHA1

          2c23e78979a8178f246dec5452c7c1a8a9c052f5

          SHA256

          89a095c5c8db0209a7c6d8b838e8b1d51b0a1dc35555d0d318d9f6f76a4cdac7

          SHA512

          0633c9fec6afac07656e9e16909d3fa86e65318cb2742397f21c054a9f5bc30939151ff933879b492df71030689b235c11fb33ef2a812fb09a05ba5662e6a759

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst33D0.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          1f49d8af9be9e915d54b2441c4a79adf

          SHA1

          1ee4f809c693e31f34bc6d8153664a6dc2c3e499

          SHA256

          b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

          SHA512

          c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

          Download Submit

        • memory/1720-15-0x0000000003B50000-0x0000000003B85000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1720-1-0x00000000771F0000-0x00000000771F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1720-22-0x0000000003B50000-0x0000000003B85000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1720-45-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/1720-2-0x00000000003D0000-0x00000000003D3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1720-0-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/1908-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-6-0x0000000000290000-0x00000000002D7000-memory.dmp

          Filesize

          284KB

          Download

        • memory/1908-30-0x00000000771F0000-0x00000000771F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-23-0x0000000000290000-0x00000000002D7000-memory.dmp

          Filesize

          284KB

          Download

        • memory/1908-8-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-19-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-49-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1908-50-0x0000000000290000-0x00000000002D7000-memory.dmp

          Filesize

          284KB

          Download