Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8891f4022f...18.exe

windows7-x64

7

8891f4022f...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

FunshionInstall.exe

windows7-x64

7

FunshionInstall.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FunshionInstall.exe

  • Size

    1.8MB

  • MD5

    246f26a450102b53e87f360c6c328f66

  • SHA1

    fa8f3a51d31b785c7865771fe78c1287f324b35a

  • SHA256

    ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7

  • SHA512

    daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7

  • SSDEEP

    24576:u8ld8XDqQDbBpDqQDbBc1JV+sk3/4gnwR7mO/+3GUbhBifT0EPVQwEJRYbRwAzfD:uqd8XxpxIVU4gwOGeLaPbRwaixwV

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\FunshionInstall.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\msn054.exe
      "C:\Windows\system32\msn054.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\6.exe
        "C:\Users\Admin\AppData\Local\Temp\6.exe" 7854
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3584
    • C:\Windows\SysWOW64\66.exe
      "C:\Windows\system32\66.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\66.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s 66.reg
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:3560
    • C:\Windows\SysWOW64\cfkk.exe
      "C:\Windows\system32\cfkk.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:872
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm
          4⤵
          • Modifies Internet Explorer settings
          PID:2576
      • C:\Windows\SysWOW64\coopen_setup_100067.exe
        coopen_setup_100067.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1944
    • C:\Windows\SysWOW64\p.exe
      "C:\Windows\system32\p.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\SysWOW64\z.exe
      "C:\Windows\system32\z.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1304
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
    1⤵
      PID:2788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8EF.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6.exe
      Filesize

      53KB

      MD5

      0aa2eeba570f7fae09c21d5bc1a5ad55

      SHA1

      add5347a2472a20aa2ce287fe26fbbdf0f6a40c0

      SHA256

      8ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70

      SHA512

      1c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsj4DDF.tmp\System.dll
      Filesize

      9KB

      MD5

      afd989ef7eec6bf952bedfce541fe236

      SHA1

      5654b71c5b1089c2cec6381d8da5bd14a14e1a37

      SHA256

      5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

      SHA512

      f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsm8896.tmp\InstallOptions.dll
      Filesize

      12KB

      MD5

      08c82a46416a5e2b471d457968f53816

      SHA1

      3e3897c20b9e89b279b4764a633f67955bf8f09a

      SHA256

      435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

      SHA512

      91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsm8896.tmp\System.dll
      Filesize

      10KB

      MD5

      61151aff8c92ca17b3fab51ce1ca7156

      SHA1

      68a02015863c2877a20c27da45704028dbaa7eff

      SHA256

      af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

      SHA512

      4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsm8896.tmp\ioSpecial.ini
      Filesize

      652B

      MD5

      b85a6114a9e0c041a8320c597f1bc995

      SHA1

      8b8ab682b9f2f9e46ec147ae32b5d09fa004fe8e

      SHA256

      5fd66f2b162374a8f330ff720c605b7a336d0642ae47db16d838bdffac23980c

      SHA512

      bda1c78f64f87c3873a4ced0089de312447f5ac9bd5bdf15b8be5c8edd7706769ddb684b9fb28d9c4109dc0fe68e6f6649994b93d568e0c3086014fcd0415e07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nso4E4B.tmp\System.dll
      Filesize

      10KB

      MD5

      bf01b2d04e8fad306ba2f364cfc4edfa

      SHA1

      58f42b45ca9fc1818c4498ecd8bac088d20f2b18

      SHA256

      d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

      SHA512

      30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

      Download Submit

    • C:\Windows\SysWOW64\66.bat
      Filesize

      35B

      MD5

      25cbf5fe338535de8ee41ad00521c85d

      SHA1

      974402d7af3ff2d99ce761ddac6936ece0d5f1fe

      SHA256

      97bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc

      SHA512

      1e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68

      Download Submit

    • C:\Windows\SysWOW64\66.exe
      Filesize

      107KB

      MD5

      48ebcf8e1fb241b1606503681db0929c

      SHA1

      181cdafb12492006328d44005e0176b0d5dcd659

      SHA256

      8bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42

      SHA512

      9cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de

      Download Submit

    • C:\Windows\SysWOW64\cfkk.exe
      Filesize

      250KB

      MD5

      98d1fec11a0aecbc609b6e4f54605806

      SHA1

      917e92c53496be174c3e7954d0035db5cd362acb

      SHA256

      6c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62

      SHA512

      8a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c

      Download Submit

    • C:\Windows\SysWOW64\coopen_setup_100067.exe
      Filesize

      914KB

      MD5

      0ed46aa6a317bf47a58ab95cc6761e93

      SHA1

      8f8bbebdf82c90748c7edc24a98b6390af6dd222

      SHA256

      6ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5

      SHA512

      072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244

      Download Submit

    • C:\Windows\SysWOW64\msn054.exe
      Filesize

      83KB

      MD5

      d7d65643b8a2fac2f2ef6d8cb3d0a394

      SHA1

      d4de8ef24f80a7182c3bc3075a5d5d5c08996951

      SHA256

      6e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d

      SHA512

      1859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d

      Download Submit

    • C:\Windows\SysWOW64\p.exe
      Filesize

      250KB

      MD5

      93df99ebeeb59896f862837c105c7659

      SHA1

      9cd0cf39ac2cd61a9a258cca6f3cef3379c22372

      SHA256

      44d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7

      SHA512

      b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956

      Download Submit

    • C:\Windows\SysWOW64\z.exe
      Filesize

      250KB

      MD5

      473801e9358ff5969ae840566001f278

      SHA1

      8593d24e6ac4069b58575b27e99c7a3db9c1d82f

      SHA256

      cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c

      SHA512

      3672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b

      Download Submit

    • memory/1040-63-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1040-190-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1304-96-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1304-189-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1304-228-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1304-232-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3312-62-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4556-93-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4556-188-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4556-214-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4556-216-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4832-187-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4832-83-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download