Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

914c965590...9e.exe

windows7-x64

10

914c965590...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 06:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe

  • Size

    9.8MB

  • MD5

    764647736f890ef13f918079dc9d72cf

  • SHA1

    1709f276759093323650d98d724124f9906adb05

  • SHA256

    914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e

  • SHA512

    f766939786f1ee13a7e8fd04eaec0c4371f1ca100610c3bf224578cb25070aed7b93cd187bf6e4c89113de996bd97ee054714fa7f43bb2ff3cc281fb20293f97

  • SSDEEP

    196608:t9++KYyCBPgEdqiz0UKq3GaXcaK4PotqSOpsgymzgqae6WMr:kY9PgOlzLKq2GcP44ON2e6n

Score
10/10
shurkbootkitdiscoveryevasioninfostealerpersistenceransomwareupx

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
    "C:\Users\Admin\AppData\Local\Temp\914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2092
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
      2⤵
      • Disables RegEdit via registry modification
      • System Location Discovery: System Language Discovery
      PID:2408
    • C:\Windows\SysWOW64\regini.exe
      regini www.ini
      2⤵
        PID:648
      • C:\Windows\SysWOW64\regini.exe
        regini www.ini
        2⤵
          PID:2452

      Network

      • flag-us
        DNS
        pic4.zhimg.com
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        Remote address:
        8.8.8.8:53
        Request
        pic4.zhimg.com
        IN A
        Response
        pic4.zhimg.com
        IN CNAME
        pic4.zhimg.com.cdn.dnsv1.com
        pic4.zhimg.com.cdn.dnsv1.com
        IN CNAME
        36d64ce2.ovslegodl.sched.ovscdns.com
        36d64ce2.ovslegodl.sched.ovscdns.com
        IN A
        43.132.64.188
        36d64ce2.ovslegodl.sched.ovscdns.com
        IN A
        43.132.64.190
      • flag-gb
        GET
        https://pic4.zhimg.com/v2-d4d034644ef2cab3c65d64edc8d2d3e4_1440w.jpg?source=172ae18b
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        Remote address:
        43.132.64.188:443
        Request
        GET /v2-d4d034644ef2cab3c65d64edc8d2d3e4_1440w.jpg?source=172ae18b HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
        Accept: */*
        Host: pic4.zhimg.com
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: Byte-nginx
        Content-Type: image/jpeg
        Date: Mon, 19 Aug 2024 16:36:18 GMT
        Imagex-Fmt: jpeg2jpeg
        Nw-Session-Id: 20240820003617DBDA3BC8983D850AF8D55tkl501ff
        Nw-Session-Trace: 2024-08-20T00:36:18.003407708+08:00 38
        Server-Timing: inner; dur=46
        X-Bdcdn-Cache-Status: TCP_MISS
        X-Imagex-Extra: {"algo.succ":"resize","enc":{"h":900,"nq":75,"q":75,"w":1200}}
        X-Length: 41703
        X-Powered-By: ImageX
        X-Response-Date: Tue, 20 Aug 2024 00:36:18 GMT
        X-Tt-Logid: 20240820003617DBDA3BC8983D850AF8D5
        X-Tt-Trace-Host: 01e55500e6d919b90a104dd3d033d1e719368dd4e4f9bf2d70b0af34fa6cd3cabe84c0e2e34691bb0118ffe7c6983ac87ef379b749569e9c72752e765bf9bdc8bebc2891a1113f5aa1aa3be41940ae12f9f5cee27e33012dd517a722245c8ceacace023f59c5db4a828b51681215dd8db37a6f244307f9d81b5209da341e762125
        X-Tt-Trace-Id: 202408200036172b6b2436016f1841F858
        X-Tt-Trace-Tag: id=5
        x-request-ip: 42.81.252.114
        x-request-id: 0962e3e0943192e9d5a9463668ed5050
        x-response-cinfo: 42.81.252.114
        x-response-cache: miss
        X-Cache-Lookup: Cache Hit
        Last-Modified: Mon, 19 Aug 2024 16:36:18 GMT
        Cache-Control: max-age=31536000
        Content-Length: 41703
        Accept-Ranges: bytes
        X-NWS-LOG-UUID: 4430652920247626504
        Connection: keep-alive
        X-Cache-Lookup: Cache Miss
        Access-Control-Allow-Origin: *
        Access-Control-Max-Age: 2592000
        x-cdn-provider: tencent
      • flag-us
        DNS
        ocsp.dcocsp.cn
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        Remote address:
        8.8.8.8:53
        Request
        ocsp.dcocsp.cn
        IN A
        Response
        ocsp.dcocsp.cn
        IN CNAME
        ocsp.dcocsp.cn.w.kunlunar.com
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.234
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.232
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.231
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.233
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.238
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.237
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.236
        ocsp.dcocsp.cn.w.kunlunar.com
        IN A
        163.181.57.235
      • flag-gb
        GET
        http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoEcNCWvIoSyJCm34Ju7Es%3D
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        Remote address:
        163.181.57.234:80
        Request
        GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoEcNCWvIoSyJCm34Ju7Es%3D HTTP/1.1
        Connection: Keep-Alive
        Accept: */*
        User-Agent: Microsoft-CryptoAPI/6.1
        Host: ocsp.dcocsp.cn
        Response
        HTTP/1.1 200 OK
        Server: Tengine
        Content-Type: application/ocsp-response
        Content-Length: 471
        Connection: keep-alive
        Date: Tue, 20 Aug 2024 06:17:33 GMT
        Via: cache15.l2de2[0,0,200-0,H], cache1.l2de2[0,0], ens-cache8.gb5[0,0,200-0,H], ens-cache3.gb5[2,0]
        Age: 849
        Ali-Swift-Global-Savetime: 1724134653
        X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
        X-Swift-SaveTime: Tue, 20 Aug 2024 06:17:34 GMT
        X-Swift-CacheTime: 3599
        Timing-Allow-Origin: *
        EagleId: a3b5398717241355020081058e
      • flag-gb
        GET
        http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSmVYFXwi%2FRq9wx3PKhB8lC%2FFYUyAQUkZ9eMRWuEJ%2BtYMH3wcyqSDQvDCYCEAo9CdsGIXUOiUSzi9a8cJM%3D
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        Remote address:
        163.181.57.234:80
        Request
        GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSmVYFXwi%2FRq9wx3PKhB8lC%2FFYUyAQUkZ9eMRWuEJ%2BtYMH3wcyqSDQvDCYCEAo9CdsGIXUOiUSzi9a8cJM%3D HTTP/1.1
        Connection: Keep-Alive
        Accept: */*
        User-Agent: Microsoft-CryptoAPI/6.1
        Host: ocsp.dcocsp.cn
        Response
        HTTP/1.1 200 OK
        Server: Tengine
        Content-Type: application/ocsp-response
        Content-Length: 471
        Connection: keep-alive
        Date: Tue, 20 Aug 2024 06:02:45 GMT
        Via: cache6.l2de2[0,0,200-0,H], cache14.l2de2[1,0], ens-cache6.gb5[0,0,200-0,H], ens-cache3.gb5[1,0]
        Age: 1736
        Ali-Swift-Global-Savetime: 1724133766
        X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
        X-Swift-SaveTime: Tue, 20 Aug 2024 06:25:37 GMT
        X-Swift-CacheTime: 2229
        Timing-Allow-Origin: *
        EagleId: a3b5398717241355020741139e
      • flag-us
        DNS
        crl.microsoft.com
        Remote address:
        8.8.8.8:53
        Request
        crl.microsoft.com
        IN A
        Response
        crl.microsoft.com
        IN CNAME
        crl.www.ms.akadns.net
        crl.www.ms.akadns.net
        IN CNAME
        a1363.dscg.akamai.net
        a1363.dscg.akamai.net
        IN A
        2.18.190.80
        a1363.dscg.akamai.net
        IN A
        2.18.190.71
      • flag-gb
        GET
        http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
        Remote address:
        2.18.190.80:80
        Request
        GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
        Connection: Keep-Alive
        Accept: */*
        If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
        User-Agent: Microsoft-CryptoAPI/6.1
        Host: crl.microsoft.com
        Response
        HTTP/1.1 200 OK
        Content-Length: 1036
        Content-Type: application/octet-stream
        Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
        Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
        ETag: 0x8DCA14B323B2CC0
        Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
        x-ms-request-id: ff7d3404-301e-006c-4d37-d3bc7d000000
        x-ms-version: 2009-09-19
        x-ms-lease-status: unlocked
        x-ms-blob-type: BlockBlob
        Date: Tue, 20 Aug 2024 06:32:12 GMT
        Connection: keep-alive
      • 43.132.64.188:443
        https://pic4.zhimg.com/v2-d4d034644ef2cab3c65d64edc8d2d3e4_1440w.jpg?source=172ae18b
        tls, http
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        1.6kB
         49.9kB
         21
        51

        HTTP Request

        GET https://pic4.zhimg.com/v2-d4d034644ef2cab3c65d64edc8d2d3e4_1440w.jpg?source=172ae18b

        HTTP Response

        200
      • 163.181.57.234:80
        http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSmVYFXwi%2FRq9wx3PKhB8lC%2FFYUyAQUkZ9eMRWuEJ%2BtYMH3wcyqSDQvDCYCEAo9CdsGIXUOiUSzi9a8cJM%3D
        http
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        734 B
         2.1kB
         6
        5

        HTTP Request

        GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoEcNCWvIoSyJCm34Ju7Es%3D

        HTTP Response

        200

        HTTP Request

        GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSmVYFXwi%2FRq9wx3PKhB8lC%2FFYUyAQUkZ9eMRWuEJ%2BtYMH3wcyqSDQvDCYCEAo9CdsGIXUOiUSzi9a8cJM%3D

        HTTP Response

        200
      • 2.18.190.80:80
        http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
        http
        399 B
         1.7kB
         4
        4

        HTTP Request

        GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

        HTTP Response

        200
      • 8.8.8.8:53
        pic4.zhimg.com
        dns
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        60 B
         178 B
         1
        1

        DNS Request

        pic4.zhimg.com

        DNS Response

        43.132.64.188
        43.132.64.190

      • 8.8.8.8:53
        ocsp.dcocsp.cn
        dns
        914c9655900b5fe48a51e6814c32a72dad0eb315b9422d22412c0349d918009e.exe
        60 B
         231 B
         1
        1

        DNS Request

        ocsp.dcocsp.cn

        DNS Response

        163.181.57.234
        163.181.57.232
        163.181.57.231
        163.181.57.233
        163.181.57.238
        163.181.57.237
        163.181.57.236
        163.181.57.235

      • 8.8.8.8:53
        crl.microsoft.com
        dns
        63 B
         162 B
         1
        1

        DNS Request

        crl.microsoft.com

        DNS Response

        2.18.190.80
        2.18.190.71

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\ExtraDll.dll
        Filesize

        97KB

        MD5

        c35425ad1f0c32225d307310deccc335

        SHA1

        b2e347b244e40ffa113dffaffd1895777e3ac30a

        SHA256

        48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

        SHA512

        47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

        Download Submit

      • memory/2092-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-36-0x00000000002C0000-0x00000000002C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-20-0x0000000000200000-0x0000000000201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-25-0x0000000000290000-0x0000000000291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-23-0x0000000000290000-0x0000000000291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-18-0x0000000000200000-0x0000000000201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-15-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-13-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-0-0x00000000006E7000-0x0000000000BBC000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2092-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-43-0x0000000000400000-0x0000000000E05000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/2092-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-38-0x00000000002C0000-0x00000000002C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-41-0x0000000000400000-0x0000000000E05000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/2092-48-0x0000000074300000-0x000000007433C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2092-50-0x00000000006E7000-0x0000000000BBC000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2092-51-0x0000000000400000-0x0000000000E05000-memory.dmp

        Filesize

        10.0MB

        Download

      • memory/2092-54-0x0000000074300000-0x000000007433C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2092-74-0x0000000074300000-0x000000007433C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2092-77-0x0000000074300000-0x000000007433C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2092-80-0x0000000074300000-0x000000007433C000-memory.dmp

        Filesize

        240KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.