Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 21:14 UTC
Static task
static1
Behavioral task
behavioral1
Sample
sdsetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
sdsetup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240709-en
General
-
Target
sdsetup.exe
-
Size
500KB
-
MD5
1526581b563522975fdfa678add1b749
-
SHA1
a8dbdc433279d7ed615e24af364a6e1ce08b3158
-
SHA256
c46653133e431997f754b585d11d18be73fc0774b877a511ac576c2659742bda
-
SHA512
2170bf620fc4a3ca206168316b31d2ddeef119eecf5bcdbb027e11ad04d8033e9dbdc9b4a89f575fe7b92ed47b09862bb024748ea41474f22cf930041b447db8
-
SSDEEP
6144:edsn3VUsa5sSoGBpG8CgSFnQ3Begfftpi4YFhPTZ8DAxkmJIRGowR9:7lUs4no87SF16fKthPTZNxA+9
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Doctor = "C:\\Users\\Admin\\Desktop\\sdsetup.exe -min" sdsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe 2524 sdsetup.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestsu.pctools.comIN AResponse
-
Remote address:8.8.8.8:53Requestdownload.pctools.comIN AResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=11B78C5E30316DD216D698E931166C7C; domain=.bing.com; expires=Sun, 03-Aug-2025 21:34:50 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EA524DFDA5744D81866CFF8FFA274914 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
date: Tue, 09 Jul 2024 21:34:49 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11B78C5E30316DD216D698E931166C7C
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=hJ8I-tEWv02oOe0IRu_hqvLRs4okUb8Pn6X_uOEBcto; domain=.bing.com; expires=Sun, 03-Aug-2025 21:34:50 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22751C06A5C944B5B1E2432F0B9214E8 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
date: Tue, 09 Jul 2024 21:34:49 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11B78C5E30316DD216D698E931166C7C; MSPTC=hJ8I-tEWv02oOe0IRu_hqvLRs4okUb8Pn6X_uOEBcto
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5588E500F5C54AB3A93F53CFBDEFE2D9 Ref B: LON04EDGE0710 Ref C: 2024-07-09T21:34:50Z
date: Tue, 09 Jul 2024 21:34:49 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.143.123.92.in-addr.arpaIN PTRResponse233.143.123.92.in-addr.arpaIN PTRa92-123-143-233deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request84.65.42.20.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78d4d7ffca244bdbb0a4b7c293cd4a3a&localId=w:02CFF369-7177-605D-73C2-BA4DB418EA60&deviceId=6896204246996124&anid=HTTP Response
204
-
60 B 60 B 1 1
DNS Request
su.pctools.com
-
66 B 66 B 1 1
DNS Request
download.pctools.com
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
233.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
84.65.42.20.in-addr.arpa