Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

ead791414b...d4.exe

windows7-x64

7

ead791414b...d4.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

114IE.exe

windows7-x64

10

114IE.exe

windows10-2004-x64

10

bin/114Web.exe

windows7-x64

1

bin/114Web.exe

windows10-2004-x64

1

bin/Addr.dll

windows7-x64

3

bin/Addr.dll

windows10-2004-x64

3

bin/CameraDll.dll

windows7-x64

1

bin/CameraDll.dll

windows10-2004-x64

1

bin/SnapShot.exe

windows7-x64

1

bin/SnapShot.exe

windows10-2004-x64

1

bin/TGHistory.dll

windows7-x64

1

bin/TGHistory.dll

windows10-2004-x64

1

bin/TGMail.dll

windows7-x64

1

bin/TGMail.dll

windows10-2004-x64

1

bin/TGNetWork.dll

windows7-x64

1

bin/TGNetWork.dll

windows10-2004-x64

3

bin/TGRes.dll

windows7-x64

1

bin/TGRes.dll

windows10-2004-x64

1

bin/shdoclc.dll

windows7-x64

1

bin/shdoclc.dll

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14/07/2024, 23:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    114IE.exe

  • Size

    3.1MB

  • MD5

    6da132acb38a83304f35543dc670e184

  • SHA1

    688936ff1b95cefaa04c36e6a662719a59965b09

  • SHA256

    ff1dae85ff708d8a51b99b0400c07fa068df6d953b597a422021019496224f69

  • SHA512

    3dbbe03007054fd7d2a6153f775d1f4a092376ded43693a77100596939ad8595833c66834208188237a961d031e39a6f41ecd1aaa61243bdadb2cb57e9425f54

  • SSDEEP

    49152:LubHDDMxSIVdydRr9/UWcTNb4Ywgl5vDk38zAU7Ebwnwp/6hYTe:Lu7YM/h9cTNbVwfMeKC6h

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114IE.exe
    "C:\Users\Admin\AppData\Local\Temp\114IE.exe"
    1⤵
    • Modifies firewall policy service
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\bin\114Web.exe
      Tango3 393652|2232
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2144

Network

  • flag-us
    DNS
    www.tg1234.com
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    www.tg1234.com
    IN A
    Response
    www.tg1234.com
    IN A
    203.195.130.175
  • flag-us
    DNS
    www.114.com.cn
    114Web.exe
    Remote address:
    8.8.8.8:53
    Request
    www.114.com.cn
    IN A
    Response
    www.114.com.cn
    IN A
    218.5.79.45
  • flag-us
    DNS
    ie.114.com.cn
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    ie.114.com.cn
    IN A
    Response
  • flag-us
    DNS
    union.tangobrowser.net
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    union.tangobrowser.net
    IN A
    Response
  • flag-us
    DNS
    img.tongji.linezing.com
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    img.tongji.linezing.com
    IN A
    Response
  • flag-us
    DNS
    www.tgsoso.com
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    www.tgsoso.com
    IN A
    Response
    www.tgsoso.com
    IN A
    154.39.73.176
  • flag-us
    DNS
    www.languangav.com
    114IE.exe
    Remote address:
    8.8.8.8:53
    Request
    www.languangav.com
    IN A
    Response
    www.languangav.com
    IN A
    43.154.18.100
  • flag-hk
    GET
    http://www.languangav.com/tango/templ300.zip
    114IE.exe
    Remote address:
    43.154.18.100:80
    Request
    GET /tango/templ300.zip HTTP/1.1
    Host: www.languangav.com
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 1.1.4322;)
    Pragma: no-cache
    Cache-Control: no-cache
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Sun, 14 Jul 2024 23:10:15 GMT
    Content-Type: text/html
    Content-Length: 548
    Connection: close
  • 218.5.79.45:80
    www.114.com.cn
    114Web.exe
    152 B
     3
  • 203.195.130.175:80
    www.tg1234.com
    114IE.exe
    152 B
     3
  • 154.39.73.176:80
    www.tgsoso.com
    114IE.exe
    152 B
     3
  • 43.154.18.100:80
    http://www.languangav.com/tango/templ300.zip
    http
    114IE.exe
    529 B
     903 B
     5
    5

    HTTP Request

    GET http://www.languangav.com/tango/templ300.zip

    HTTP Response

    404
  • 8.8.8.8:53
    www.tg1234.com
    dns
    114IE.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.tg1234.com

    DNS Response

    203.195.130.175

  • 8.8.8.8:53
    www.114.com.cn
    dns
    114Web.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.114.com.cn

    DNS Response

    218.5.79.45

  • 8.8.8.8:53
    ie.114.com.cn
    dns
    114IE.exe
    59 B
     126 B
     1
    1

    DNS Request

    ie.114.com.cn

  • 8.8.8.8:53
    union.tangobrowser.net
    dns
    114IE.exe
    68 B
     139 B
     1
    1

    DNS Request

    union.tangobrowser.net

  • 8.8.8.8:53
    img.tongji.linezing.com
    dns
    114IE.exe
    69 B
     138 B
     1
    1

    DNS Request

    img.tongji.linezing.com

  • 8.8.8.8:53
    www.tgsoso.com
    dns
    114IE.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.tgsoso.com

    DNS Response

    154.39.73.176

  • 8.8.8.8:53
    www.languangav.com
    dns
    114IE.exe
    64 B
     80 B
     1
    1

    DNS Request

    www.languangav.com

    DNS Response

    43.154.18.100

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2144-7-0x0000000074083000-0x0000000074084000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.