Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/08/2024, 11:52

240807-n1s2zaybqp 5

06/08/2024, 19:50

240806-yj8q7sydpr 7

Analysis

  • max time kernel
    142s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 11:52

General

  • Target

    tmpz16y76kd.exe

  • Size

    18.5MB

  • MD5

    4bba5b7d3713e8b9d73ff1955211e971

  • SHA1

    9473104a1aefb0daabe41a92d75705be7e2daaf3

  • SHA256

    09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264

  • SHA512

    78e36c1f75de9b33b3216b957b2523e8553bb59db3b0fe407040ba0441700d05476a16a367af12f321a5e9f06634d347732480511e6faca53bb06e78e8286424

  • SSDEEP

    393216:EE2LeetrWJzdiEIMzqD3ZUswv2h/ojcCOvzXr98ASNg+:EE2dtr+dlzqNHZh/ogj8ASq+

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 40 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmpz16y76kd.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpz16y76kd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe
      C:\ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Program Files\Angry IP Scanner\ipscan.exe
        "C:\Program Files\Angry IP Scanner\ipscan.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Program Files\Angry IP Scanner\jre\bin\javaw.exe
          "C:\Program Files\Angry IP Scanner\jre\bin\javaw" -jar "C:\Program Files\Angry IP Scanner\ipscan.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2880
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2764
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Angry IP Scanner\jre\bin\javaw.exe

      Filesize

      38KB

      MD5

      b6f1b4efe5064cc969be146adfbc5799

      SHA1

      15644ccbfb7decad3996289948ced8f732b219c7

      SHA256

      2cd28a6dba69f49d41b4adc82c20bfb9d6f25cfdd9bc0fe6e59441f241c6d968

      SHA512

      69218a3e6d102f44639b529150c453e6e8ec00817f081363bdc823e726aa29838a32e7ea7c4c453f6f43da4d3bc35dc6236c24489d6422d29c29c98ef1ef9a62

    • C:\Program Files\Angry IP Scanner\jre\bin\zip.dll

      Filesize

      74KB

      MD5

      a1ed0d5c4fdfbef5a3baf3e6daa88f10

      SHA1

      b1d2cdd56174b077cb551b56ea1ea535f516940f

      SHA256

      91c7ac5e26fd5bb7b2253c4eacd099dd6a69c02d3e949800d45380ee14503980

      SHA512

      bdb4845ec2f2ae4822f0d96206caf6c8046a8bccd48efe67141941c833d63ad6fa202307ba568fb949d1fa859e72e5eb6d480d3b037b873552e3fb2ee6ef20a6

    • C:\Program Files\Angry IP Scanner\jre\conf\logging.properties

      Filesize

      2KB

      MD5

      0f00ec3e7a7767a4efeae1875fb5f3d4

      SHA1

      167808418571e9209b952188ddab2f4e62920e68

      SHA256

      b62d2733ab99556b108a1951d894c5a8d76b1ac7a00c02c388f9eb9be046c56f

      SHA512

      e869f4a3b821a9933796dc9a56ee00483493369dfbfe07b3b1d895cb8318c6821cd44134eb37513f15b830c25861b596646824ed56672d08b678fefe6a4c7504

    • C:\Program Files\Angry IP Scanner\jre\conf\net.properties

      Filesize

      6KB

      MD5

      385443b7e4a37bc277c018cd1d336d49

      SHA1

      b2c0dfb00bf699e817bdd49b14bc24b8d3282c65

      SHA256

      5bc726671936e0af4fdf6bed67d9e3a20a92c30b0ba23673d0314baa5e3ffb08

      SHA512

      260afc7671a1dc0c443564f1d10386f0b241bb53c76df68d8d03f1d0b1ceaf3f68847ab3477732c876c2b01c812ef7521744befe88e312f3aa63164b608b67a1

    • C:\Program Files\Angry IP Scanner\jre\conf\security\java.security

      Filesize

      57KB

      MD5

      0a750027c4c6aac1f2adbcf0cb61d5aa

      SHA1

      62fa8fa8bbbf09264c5db08d2229b01c3dfd911c

      SHA256

      f9b32adeee2ed2d3ea558ccc0dc5023ec9474be301cf83fa09067b2a2a73d15f

      SHA512

      fd9bf2410f53824d8f593a3266a572d414ea90ff14e20c0ee454716be0b652beb74f2b79f10e6c8a7e81fe54818c0eeed2c1ce6c7c778a09ad60fefdda92a23e

    • C:\Program Files\Angry IP Scanner\jre\conf\security\policy\unlimited\default_US_export.policy

      Filesize

      146B

      MD5

      1a08ffdf0bc871296c8d698fb22f542a

      SHA1

      f3f974d3f6245c50804dcc47173aa29d4d7f0e2c

      SHA256

      758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9

      SHA512

      4cfca5b10cd7addcff887c8f3621d2fbec1b5632436326377b0ce5af1ae3e8b68ac5a743ca6082fc79991b8eec703a6e1dfd5b896153407ad72327753222fdb3

    • C:\Program Files\Angry IP Scanner\jre\conf\security\policy\unlimited\default_local.policy

      Filesize

      193B

      MD5

      2a0f330c51aff13a96af8bd5082c84a8

      SHA1

      ad2509631ed743c882999ac1200fd5fb8a593639

      SHA256

      8d8a318e6d90dfd7e26612d2b6385aa704f686ca6134c551f8928418d92b851a

      SHA512

      2b0385417a3fc2af58b1cbb186dd3e0b0875e42923884153deee0efcb390ca00b326ed5b266b3892d31bf7d40e10969a0b51daa6d0b4ca3183770786925d3cde

    • C:\Program Files\Angry IP Scanner\jre\lib\jvm.cfg

      Filesize

      41B

      MD5

      d94c3e11328b57890b68e527b2da0ba8

      SHA1

      761c0a35be47af949c385b19772946b80de64703

      SHA256

      7c549ae37d70435ff992a6538f37ff16fb20af4c6d9cc39bdd446c9523455b7f

      SHA512

      1727a4f261f9fd22f8a0370eda62ef4188e87191d90315ff4870c22620635418cf7769d76f7f961f1e20a29e999ca66df97788b22ab4cb1eb0d58439fe2da471

    • C:\Program Files\Angry IP Scanner\jre\lib\modules

      Filesize

      12.8MB

      MD5

      383ae99f3f15a822901def39f24e8e31

      SHA1

      bf5bb593c63506b9f107e51815539608f968e5da

      SHA256

      e0e85220a6765dcf48d2883e058a4590b3cc466439eb44e5b2a5ffbed41e2468

      SHA512

      15510dc53f9a8c8aece3d4d032f3d2a83f21d9e8c6f4575a44972caed812518fbd149c38642c3c97adc51d9adb4bf1330834679c2e783728b08a282794731b4f

    • C:\Program Files\Angry IP Scanner\jre\lib\security\blocked.certs

      Filesize

      2KB

      MD5

      8273f70416f494f7fa5b6c70a101e00e

      SHA1

      aeaebb14fbf146fbb0aaf347446c08766c86ca7f

      SHA256

      583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58

      SHA512

      e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da

    • C:\Program Files\Angry IP Scanner\jre\lib\security\cacerts

      Filesize

      172KB

      MD5

      ae3356b5e1a536c6076ce9485000e46f

      SHA1

      c8b6e879fbeaf7bf422eb4c458c6456c2e3d8e8a

      SHA256

      6627260e02801132188e3fdc15d159ab19a13c20d541de9fdc44165dba9fc49c

      SHA512

      7f0030455f91c04ec3909a8caedee640bdf7a252bb0a901c4f36071dc33aecd9cf9c29ecf95269494ee2a22052ee04cd60b955adb5b64b2ad994f99c7ec21955

    • C:\Program Files\Angry IP Scanner\jre\lib\security\public_suffix_list.dat

      Filesize

      228KB

      MD5

      e7a714571a1f7c4e1d2f70b8f3052ada

      SHA1

      2b09124caddf58ec734f4664264ed5666f7c1c64

      SHA256

      72e17c92d464ba1476fbcc7dac6cbc493f6fb04f158895368b57d81ddbe277d1

      SHA512

      981250d4da5fa5f86dad4fae8465fd8ce3cf36297a86ece0ffdfb3963ac5f8e0a56c0aeab518facb7b51ec359665f6a0685f2c5443271e70ac8c31c9b1aa01d0

    • C:\Program Files\Angry IP Scanner\jre\lib\tzdb.dat

      Filesize

      100KB

      MD5

      3d15f6334ecba68ca785d3a76c7cfe88

      SHA1

      fb7eb7f9d96ce45bfa73640da0db3f72729907a6

      SHA256

      1d000eb88b91dd063ee4696568b031bb318ba2d659acc08bf81c05b8f649cc88

      SHA512

      06b88793648f0c627329496bb545f32a6bd22a372f0c8587b52f7bf973b89683fc2756ae6d808e5a40a3993dd448a1c0510a8d708f015d72cfad6b2d548e5753

    • C:\Program Files\Angry IP Scanner\jre\lib\tzmappings

      Filesize

      21KB

      MD5

      b02ee240a8db902961fe886a19beba16

      SHA1

      c52c42d591f4c650b629e6b374e967e211fb5aeb

      SHA256

      36dc51c4bf787f640a4b45cbb84ab6954f6e595cbd3617c2f5a4e1e607b38bff

      SHA512

      024811961511b7182860ed03a5670f82412a45d005a1db0876f6b0c9af7e96c104566abff0ebbded11a780349444214291f439039d20fb92071c7dd24bda0e23

    • C:\Users\Admin\AppData\Local\Temp\nsd7F01.tmp\modern-wizard.bmp

      Filesize

      150KB

      MD5

      571986bb6e3eed28c772e9dfa1b2d87e

      SHA1

      c2e7574f8713def6d8647a780d4b5d6fb54843a4

      SHA256

      8416e0209e7c1497ef84173f52b623eb38d86bab59886fe99317d8f557bf66f8

      SHA512

      2d2d5ec9e9627a0f7e3e3741bdfab4429cabffc0ab71c5968b87595d41be28ad29ae0dc5142710ad5718c6ef04cf76dee7a9b158d8b34c7a7d59eeaa7f66cf2a

    • \Program Files\Angry IP Scanner\ipscan.exe

      Filesize

      2.4MB

      MD5

      9867afd0d29a84decf760e43860c63a1

      SHA1

      9bbc82c8317271ab3d35e0c9cd3f05175305dce1

      SHA256

      ae50c71517182c9773bb138745f10a643b1215078ede439b2b3adb486a9cfb14

      SHA512

      85b5e1e70a83a9b923c8c31078f703f3499ecb35d88f37d65b2411aa88b467f94d7edc6a4f2b3f0b72d17e121474e5fb4e6072d222b245f7ab249e4cf11d4d2f

    • \Program Files\Angry IP Scanner\jre\bin\client\jvm.dll

      Filesize

      7.0MB

      MD5

      06c310ccf0ecc089e21c7a502b743ca0

      SHA1

      c5ed72c318740084ed801d50ae904da0256b48eb

      SHA256

      208d91d83a994c775cb0af18ecf8f982a4d023ceeca2a87d1d1d87a03056ec5d

      SHA512

      bac5fe0ce7f52fac608754d43b6ae649bbc6d4d89ce7e2a2542489d37a76e4de178c9144bb6c6e522a02bed5bc77f59076b2fd6231c5f6b01a64c86b32ae2392

    • \Program Files\Angry IP Scanner\jre\bin\java.dll

      Filesize

      132KB

      MD5

      69e2f57caad03eef6bbf0784afad29d8

      SHA1

      0ded40af0c95c48ae399014c080ec45775b80ca4

      SHA256

      f9d4e3790b7116d60c07c832bc6492f778e3a71f8fad4a6e27898cdffce823d8

      SHA512

      5b7b3e047985b73b2e4bb75e3991e8982406ea8cb9af66f84d3483f7c823fbc43ca3337a304422e76489875d11670bc9fd4576a0070c8d8c79492a8b34de6c5e

    • \Program Files\Angry IP Scanner\jre\bin\jimage.dll

      Filesize

      22KB

      MD5

      cd8a350c102d4439d2be82bfc8b468c4

      SHA1

      1d8e795054e205db7373659c3adb27856dd41610

      SHA256

      8471e8d196ae5910e861f3c2847a902a7690c6b1dd02cfdbb4376eb57a6833be

      SHA512

      a6fdb45cafac712b87ed3202aeb80e9eb1678364d736c86ece2dfdc2eab66872c9dcefe397449d64a485308b0ec29a257e7f0424ae0a46511d469b4795f30cbd

    • \Program Files\Angry IP Scanner\jre\bin\jli.dll

      Filesize

      74KB

      MD5

      39acdaac8c1ae1c57f5bbc40f0ad87b5

      SHA1

      098e8d334280d790d952103d15feecc865715a51

      SHA256

      c0783730280f76fedbc30d302a9daefd642968f520b2b9a1719a5bbd42aac820

      SHA512

      f868fdc4735c47b82a4ff91391e43576daefedea25ad2c6c67e563f45118eb6ef307b179ad163fb8d4ace7f8ec29c8c240287f34a9f5f27923394147699a7cfd

    • \Program Files\Angry IP Scanner\jre\bin\msvcp140.dll

      Filesize

      613KB

      MD5

      c1b066f9e3e2f3a6785161a8c7e0346a

      SHA1

      8b3b943e79c40bc81fdac1e038a276d034bbe812

      SHA256

      99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

      SHA512

      36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

    • \Program Files\Angry IP Scanner\jre\bin\net.dll

      Filesize

      83KB

      MD5

      efd326a1e0acc840f2d860510baef0b3

      SHA1

      db422647eb29e1087a53d3a6affb73be528a1ff8

      SHA256

      2604a8cb26c96744335621de4929117927a556bdbeab69f6fa873c6f18b5ba0f

      SHA512

      06ce4721534a4f57952d38dca33077e52566e12b1183b35960b54db66e1ca053c5df7c3db7a69c1f47397fba688bd939a86396847fce238f20b261a5f7d91c26

    • \Program Files\Angry IP Scanner\jre\bin\nio.dll

      Filesize

      67KB

      MD5

      5294797857b3a007a99388c1fb5ee6a5

      SHA1

      3ec66561065bc089a9612e18584978f9dca3dfe3

      SHA256

      419d7dbc7d9c565afdc6a0faac179aea1789106fe3ee50c83e59d6238fb011bf

      SHA512

      e030f3a84ad204250ef97a992600476b9c900d184651c939d1d4100b450e44190b4b08fa67f6e07e055e070badda5760a11375c6e0a2f8b583a07161190a492d

    • \Program Files\Angry IP Scanner\jre\bin\prefs.dll

      Filesize

      14KB

      MD5

      5baa882101e35a9e81b91aca5073451c

      SHA1

      1ec73c97fbb92747e03d1f3d6799562623c0ab91

      SHA256

      8e1695f54d31a72dad7b4d1fdd49f6410bb236edf5fa0328f6a88f826bef22f0

      SHA512

      8b5525f10db90b40a1e5fc8ee4ba5cf560f244c6aab018fd4f7716bc6c062b49e47a9b24dcfaecce70c594740f3f684ef9346f4968385d6d0c6dbe75b6a5c21b

    • \Program Files\Angry IP Scanner\jre\bin\vcruntime140.dll

      Filesize

      83KB

      MD5

      1453290db80241683288f33e6dd5e80e

      SHA1

      29fb9af50458df43ef40bfc8f0f516d0c0a106fd

      SHA256

      2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

      SHA512

      4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

    • \ProgramData\Microsoft\WindowsUpdate24\ipscan-3.9.1-setup.exe

      Filesize

      17.6MB

      MD5

      0995262c8adde90ec6d9e039b3d7293d

      SHA1

      089ff4aee406f894c0ce2166d253c141a4c8fa32

      SHA256

      223aa5d93a00b41bf92935b00cb94bb2970c681fc44c9c75f245a236d617d9bb

      SHA512

      bdbf9fb817878295b2105e2eafcd3932680b4fff64825ca4f859ca10def823f89865e735593f7ea138bdc5f09bd913dd0b71f2ca5aff191068ad6538b0a69d1c

    • \Users\Admin\.swt\lib\win32\x86_64\swt-win32-4956r13.dll

      Filesize

      753KB

      MD5

      b342c662464f097b21c835444adabac9

      SHA1

      0437416d16f27c7eb419cf5bef233051b9b25a92

      SHA256

      45f81d8cf242302b59f798facd8cea962f1efb129360c62b1dab3bbdfbb86b74

      SHA512

      d72d7d33670f5404c0f2dfd0be4da57bcd6c2f48b17ba54a03d7a1502356c5d4f5c6d682cca302ea14b9327b3d2d4a40d5076e9a81d5fd36cf100fac9dfeaefe

    • \Users\Admin\AppData\Local\Temp\nsd7F01.tmp\System.dll

      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • \Users\Admin\AppData\Local\Temp\nsd7F01.tmp\UserInfo.dll

      Filesize

      4KB

      MD5

      2f69afa9d17a5245ec9b5bb03d56f63c

      SHA1

      e0a133222136b3d4783e965513a690c23826aec9

      SHA256

      e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

      SHA512

      bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

    • \Users\Admin\AppData\Local\Temp\nsd7F01.tmp\nsDialogs.dll

      Filesize

      9KB

      MD5

      6c3f8c94d0727894d706940a8a980543

      SHA1

      0d1bcad901be377f38d579aafc0c41c0ef8dcefd

      SHA256

      56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

      SHA512

      2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    • memory/1612-244-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB