Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 16:35
General
-
Target
ming-dan-pdf.exe
-
Size
22.6MB
-
MD5
d48ab037ac67690dfec97eb0cee58cef
-
SHA1
ee2cac4a3ed743469f344657a2ce03263278e843
-
SHA256
f86bb58f1fe31ba13544d0919beab5e3029e8044df85c72c37cbe2fbede5bf2b
-
SHA512
1b53563081a14587cd28e184a5fd02730e78757e605176b5581154a514cda3644e48ecc931a3c2a93ebee68340d845167120fe75254aeb4d91fde5590973647a
-
SSDEEP
196608:5c1aN0ECig1IFnEplmOXKh8mY8J4V+mPKSJAMr3jv4xHlZoA/iMYvWB:0OhCcFkjXLWiV+mSSCMToHluZW
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ming-dan-pdf.exe"C:\Users\Admin\AppData\Local\Temp\ming-dan-pdf.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\t0mcat.exe"C:\Users\Admin\Documents\t0mcat.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD54abe0fa567bc7414f0232bcc1370a36d
SHA15023cb8446abb125796fa74493e45d72428537b7
SHA25615e4c9a052f696da40749b17912f4c63647919815949e9227c51325c7017d823
SHA512dd29a6db81fe7d085028b3987645fc42e466baa3388f4b798efddf760a471b592c71857c0526ac3194bd5e1390e954c2230237d93027ab76acc676d7b792fff4
-
Filesize
27KB
MD5849e9f3e59daf750db838e885d58c6fa
SHA1733cb105153e4b83160a52bfa2ddd95d750fb806
SHA256f94949a6c121a525f661dd8abd917eb37a5cf582c89e3a258170a15d30cc0cc2
SHA5123feff6db5fc5ae371a4ec60ce13a383668a5accac537a0ae56b9b5b7318a2d5bdb4b79286a519cad3610cb6d1f335a11c09a4d3165c147a00d5a7880ea23e173
-
Filesize
118B
MD5bcf8561732b58b58c7bd2f96d9b5e1a7
SHA14b39115407716c50bca553c8e5855e4d7508f897
SHA256cd49c42e787c4dafc2ae0d648e40205ccbbd406da6ed4c9fd41ea67a4ba35663
SHA512b4588b9f5ed04ae78b8cd0646f069db3a5f0c0a653c7d84e701ad5215ed93876171ca81dbb6284bd1b43bb4ef927e200b32d3273be64504e9dc3e385c778462b
-
Filesize
2.0MB
MD5887dbb770f9a3cd5376aa211a30789e4
SHA1f148997262530c6c85467a30f76ddc90a6ca4c9e
SHA25640f5a4d30fa4ee0738e74de5e93980815d5eceb2a3fea3a836e3df8785606465
SHA512b8975608f312ee5983f5ef209ef08829618b86e952d3a2beaad405c9117762881493743c851cea63531292416b550aaa383b9b22bb4052f81bd68641e3a2ff00
-
Filesize
1.0MB
-
Filesize
396KB
-
Filesize
80KB
-
Filesize
156KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
96KB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
80KB
-
Filesize
2.3MB