Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
7WeChatSetup.exe
windows7-x64
4WeChatSetup.exe
windows10-2004-x64
4$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
1$PLUGINSDI...ll.dll
windows10-2004-x64
1$PLUGINSDI...st.dll
windows7-x64
3$PLUGINSDI...st.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
4Uninstall.exe
windows10-2004-x64
4WeChat.exe
windows7-x64
9WeChat.exe
windows10-2004-x64
9WechatAppLauncher.exe
windows7-x64
1WechatAppLauncher.exe
windows10-2004-x64
1[3.9.11.19...dk.dll
windows7-x64
1[3.9.11.19...dk.dll
windows10-2004-x64
1[3.9.11.19...ll.exe
windows7-x64
4[3.9.11.19...ll.exe
windows10-2004-x64
4[3.9.11.19...ne.dll
windows7-x64
1[3.9.11.19...ne.dll
windows10-2004-x64
1[3.9.11.19...at.exe
windows7-x64
9[3.9.11.19...at.exe
windows10-2004-x64
9[3.9.11.19...xt.exe
windows7-x64
1[3.9.11.19...xt.exe
windows10-2004-x64
3[3.9.11.19...ce.dll
windows7-x64
1[3.9.11.19...ce.dll
windows10-2004-x64
1[3.9.11.19...pt.exe
windows7-x64
3[3.9.11.19...pt.exe
windows10-2004-x64
3[3.9.11.19...te.exe
windows7-x64
3[3.9.11.19...te.exe
windows10-2004-x64
3Analysis
-
max time kernel
24s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 05:35
Behavioral task
behavioral1
Sample
WeChatSetup.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
WeChatSetup.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/WeChatInstallDll.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/WeChatInstallDll.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsInstallAssist.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsInstallAssist.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Uninstall.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Uninstall.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
WeChat.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
WeChat.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
WechatAppLauncher.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
WechatAppLauncher.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
[3.9.11.19]/ConfSdk.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
[3.9.11.19]/ConfSdk.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
[3.9.11.19]/Uninstall.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
[3.9.11.19]/Uninstall.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
[3.9.11.19]/VoipEngine.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
[3.9.11.19]/VoipEngine.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
[3.9.11.19]/WeChat.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
[3.9.11.19]/WeChat.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
[3.9.11.19]/WeChatExt.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
[3.9.11.19]/WeChatExt.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
[3.9.11.19]/WeChatResource.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral28
Sample
[3.9.11.19]/WeChatResource.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
[3.9.11.19]/WeChatSpt.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
[3.9.11.19]/WeChatSpt.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
[3.9.11.19]/WeChatUpdate.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral32
Sample
[3.9.11.19]/WeChatUpdate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
$PLUGINSDIR/FindProcDLL.dll
-
Size
492KB
-
MD5
633625aa3be670a515fa87ff3a566d90
-
SHA1
de035c083125aef5df0a55c153ef6cc4dd4c15b4
-
SHA256
bda8e0ddb672ea3558ad68634c49da06cd72f93d7fca642ca41df00e26512df1
-
SHA512
3c687ddf0e4e93a6787a23a93e2011df42898f6d21101c848a1b7c7bd2eddd5d49fdd0748e47e6235e7808596d00a1ecf79b5c975d050dd8d00a95f515a444a9
-
SSDEEP
12288:LAeafIS4J8anXexYWGRhvgbTu4RJ6//sCMUx:04J9/WGRS33+
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1988 2344 WerFault.exe 30 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 3028 wrote to memory of 2344 3028 rundll32.exe 30 PID 2344 wrote to memory of 1988 2344 rundll32.exe 31 PID 2344 wrote to memory of 1988 2344 rundll32.exe 31 PID 2344 wrote to memory of 1988 2344 rundll32.exe 31 PID 2344 wrote to memory of 1988 2344 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 2243⤵
- Program crash
PID:1988
-
-