Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

残霞造�....4.exe

windows7-x64

7

残霞造�....4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 05:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    残霞造梦西游3辅助9.4.exe

  • Size

    939KB

  • MD5

    677c9f89046f95964669f47b875a038f

  • SHA1

    db5da1cbd876b3cd3f1dddd064bc89a5ec252e6a

  • SHA256

    0603edfb92c0e6efe799df209a4b6604f661c9bbb54ea52bfed1cc09553bd5f4

  • SHA512

    4f3052af244e9eaa02f56023cc83ade49e02e90a96140b1b4b4878d9cefd701c56c0ad7fe588c28677423a23f6bd326612c6863461916d47515a5eac7eb5c0ae

  • SSDEEP

    24576:aC/I0j9YnrGPqNfHKmVSKN9CWX6M8Dr/j1M2H2c/t2:a6zjw6PGfHljqM836It2

Score
7/10
discoveryupx

Malware Config

Signatures

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\残霞造梦西游3辅助9.4.exe
    "C:\Users\Admin\AppData\Local\Temp\残霞造梦西游3辅助9.4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:1732

Network

  • flag-us
    DNS
    bbyz-10050107.cos.myqcloud.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    bbyz-10050107.cos.myqcloud.com
    IN A
    Response
    bbyz-10050107.cos.myqcloud.com
    IN A
    81.69.54.122
    bbyz-10050107.cos.myqcloud.com
    IN A
    81.69.54.64
    bbyz-10050107.cos.myqcloud.com
    IN A
    81.69.54.171
    bbyz-10050107.cos.myqcloud.com
    IN A
    81.69.54.68
  • flag-us
    DNS
    pan.baidu.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    pan.baidu.com
    IN A
    Response
    pan.baidu.com
    IN CNAME
    yiyun.n.shifen.com
    yiyun.n.shifen.com
    IN A
    36.110.192.103
    yiyun.n.shifen.com
    IN A
    124.237.208.37
  • flag-us
    DNS
    count.2881.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    count.2881.com
    IN A
    Response
  • flag-cn
    GET
    http://bbyz-10050107.cos.myqcloud.com/yxzs.txt
    残霞造梦西游3辅助9.4.exe
    Remote address:
    81.69.54.122:80
    Request
    GET /yxzs.txt HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: bbyz-10050107.cos.myqcloud.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: TencentCOS
    x-cos-storage-class: STANDARD
    Content-Type: text/plain
    Content-Disposition: attachment; filename*="UTF-8''yxzs.txt"
    Content-Language: zh-CN
    ETag: 808f03d703d6b24738e0c12db952e5c3375a6978
    x-cos-object-type: normal
    Accept-Ranges: bytes
    Last-Modified: Sat, 29 Jul 2017 02:45:01 GMT
    Content-Length: 147
  • flag-cn
    GET
    http://pan.baidu.com/s/1qWPqOlY
    残霞造梦西游3辅助9.4.exe
    Remote address:
    36.110.192.103:80
    Request
    GET /s/1qWPqOlY HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: pan.baidu.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Type: text/html; charset=utf-8
    Date: Sun, 25 Aug 2024 05:38:15 GMT
    Flow-Level: 3
    Logid: 8968642583099328581
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Server: nginx
    Set-Cookie: PANPSC=; expires=Fri, 01-Apr-1900 00:00:00 GMT; path=/; domain=pan.baidu.com; HttpOnly;
    Set-Cookie: csrfToken=juMVOBG5SAuj5LQoixUwpHRY; path=/
    Set-Cookie: BAIDUID=FB5FE0BBD391BAD4735B85A42A85888E:FG=1; expires=Mon, 25-Aug-25 05:38:15 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    X-Conteneur-Nom: wrJJGgAfwpIFFhXCusOVwp7Dtw4qwo5aR3rDuMO4w6XDjihKw6jCsMO3wrDCu3zDhznDlxs5G8O3NFXCtVpjaMKfJsKkwrs=
    X-Content-Type-Options: nosniff
    X-Download-Options: noopen
    X-Flow-Level: 3
    X-Powered-By: BaiduCloud
    X-Readtime: 135
    X-Request-Id: 8968642583099328581
    X-Xss-Protection: 1; mode=block
    Yld: 8968642583099328581
    Yme: ZIGW+io2QEQTdTYEUmr/tGZLovgaVAPxrQpNwyOGmQ==
    Transfer-Encoding: chunked
  • flag-us
    DNS
    asdasdas-10050107.file.myqcloud.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    asdasdas-10050107.file.myqcloud.com
    IN A
    Response
    asdasdas-10050107.file.myqcloud.com
    IN CNAME
    asdasdas-10050107.file.myqcloud.com.cdn.dnsv1.com
    asdasdas-10050107.file.myqcloud.com.cdn.dnsv1.com
    IN CNAME
    36d623bb.tweb.sched.ovscdns.com
    36d623bb.tweb.sched.ovscdns.com
    IN A
    101.33.11.110
    36d623bb.tweb.sched.ovscdns.com
    IN A
    101.33.11.29
  • flag-us
    DNS
    asdasdas-10050107.file.myqcloud.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    asdasdas-10050107.file.myqcloud.com
    IN A
  • flag-us
    DNS
    dh-cfg.liuxue789.cn
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    dh-cfg.liuxue789.cn
    IN A
    Response
  • flag-us
    DNS
    www.kelepan.com
    残霞造梦西游3辅助9.4.exe
    Remote address:
    8.8.8.8:53
    Request
    www.kelepan.com
    IN A
    Response
    www.kelepan.com
    IN A
    168.206.143.226
  • flag-hk
    GET
    http://www.kelepan.com/space_fenghuo_8061.html
    残霞造梦西游3辅助9.4.exe
    Remote address:
    168.206.143.226:80
    Request
    GET /space_fenghuo_8061.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: www.kelepan.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sun, 25 Aug 2024 05:38:17 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://www.kelepan.com
  • flag-hk
    GET
    http://www.kelepan.com/
    残霞造梦西游3辅助9.4.exe
    Remote address:
    168.206.143.226:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: www.kelepan.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 25 Aug 2024 05:38:17 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-hk
    GET
    http://www.kelepan.com/space_mieshi_5865.html
    残霞造梦西游3辅助9.4.exe
    Remote address:
    168.206.143.226:80
    Request
    GET /space_mieshi_5865.html HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: www.kelepan.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sun, 25 Aug 2024 05:38:17 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://www.kelepan.com
  • flag-hk
    GET
    http://www.kelepan.com/
    残霞造梦西游3辅助9.4.exe
    Remote address:
    168.206.143.226:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Accept: */*
    Host: www.kelepan.com
    Cache-Control: no-cache
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 25 Aug 2024 05:38:17 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
  • flag-de
    GET
    http://asdasdas-10050107.file.myqcloud.com/%E6%AE%8B%E9%9C%9E%E6%B8%B8%E6%88%8F%E5%8A%A9%E6%89%8BV3.7.exe
    残霞造梦西游3辅助9.4.exe
    Remote address:
    101.33.11.110:80
    Request
    GET /%E6%AE%8B%E9%9C%9E%E6%B8%B8%E6%88%8F%E5%8A%A9%E6%89%8BV3.7.exe HTTP/1.1
    Host: asdasdas-10050107.file.myqcloud.com
    Accept: */*
    Referer: http://asdasdas-10050107.file.myqcloud.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
    Pragma: no-cache
    Cache-Control: no-cache
    Connection: close
    Response
    HTTP/1.1 530
    Server: cloudflare
    Connection: close
    Date: Sun, 25 Aug 2024 05:38:16 GMT
    Cache-Control: private, must-revalidate, no-cache, no-store
    Last-Modified: Sun, 25 Aug 2024 05:30:00 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 16
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=77UhIcxAPm1VKSF5jyF%2FhcwUFN%2FEoNtMezNWo20fHFEZu5Cv3fDaBllwDsiuroL7SnfAS3RBXwofA3E0xUvKBrhG3SmzldncB%2FAO25Jf2TTWnY3j3%2B7scobJ8g%2FWVPWiL8Gxocbfxx160aX9HeGspdcuAy9zgg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    CF-RAY: 8b893c2b4e989244-FRA
    X-Daa-Tunnel: hop_count=1
    X-NWS-LOG-UUID: 14369512005683997795 b46a4f383e9dda5302340ac51696eb96
    X-Cache-Lookup: Hit From Upstream
  • 81.69.54.122:80
    http://bbyz-10050107.cos.myqcloud.com/yxzs.txt
    http
    残霞造梦西游3辅助9.4.exe
    396 B
     666 B
     5
    4

    HTTP Request

    GET http://bbyz-10050107.cos.myqcloud.com/yxzs.txt

    HTTP Response

    200
  • 36.110.192.103:80
    http://pan.baidu.com/s/1qWPqOlY
    http
    残霞造梦西游3辅助9.4.exe
    1.1kB
     22.7kB
     20
    23

    HTTP Request

    GET http://pan.baidu.com/s/1qWPqOlY

    HTTP Response

    200
  • 168.206.143.226:80
    http://www.kelepan.com/
    http
    残霞造梦西游3辅助9.4.exe
    903 B
     13.9kB
     12
    14

    HTTP Request

    GET http://www.kelepan.com/space_fenghuo_8061.html

    HTTP Response

    301

    HTTP Request

    GET http://www.kelepan.com/

    HTTP Response

    200
  • 168.206.143.226:80
    http://www.kelepan.com/
    http
    残霞造梦西游3辅助9.4.exe
    942 B
     13.9kB
     13
    14

    HTTP Request

    GET http://www.kelepan.com/space_mieshi_5865.html

    HTTP Response

    301

    HTTP Request

    GET http://www.kelepan.com/

    HTTP Response

    200
  • 101.33.11.110:80
    http://asdasdas-10050107.file.myqcloud.com/%E6%AE%8B%E9%9C%9E%E6%B8%B8%E6%88%8F%E5%8A%A9%E6%89%8BV3.7.exe
    http
    残霞造梦西游3辅助9.4.exe
    588 B
     1.1kB
     6
    6

    HTTP Request

    GET http://asdasdas-10050107.file.myqcloud.com/%E6%AE%8B%E9%9C%9E%E6%B8%B8%E6%88%8F%E5%8A%A9%E6%89%8BV3.7.exe

    HTTP Response

    530
  • 8.8.8.8:53
    bbyz-10050107.cos.myqcloud.com
    dns
    残霞造梦西游3辅助9.4.exe
    76 B
     140 B
     1
    1

    DNS Request

    bbyz-10050107.cos.myqcloud.com

    DNS Response

    81.69.54.122
    81.69.54.64
    81.69.54.171
    81.69.54.68

  • 8.8.8.8:53
    pan.baidu.com
    dns
    残霞造梦西游3辅助9.4.exe
    59 B
     120 B
     1
    1

    DNS Request

    pan.baidu.com

    DNS Response

    36.110.192.103
    124.237.208.37

  • 8.8.8.8:53
    count.2881.com
    dns
    残霞造梦西游3辅助9.4.exe
    60 B
     112 B
     1
    1

    DNS Request

    count.2881.com

  • 8.8.8.8:53
    asdasdas-10050107.file.myqcloud.com
    dns
    残霞造梦西游3辅助9.4.exe
    162 B
     215 B
     2
    1

    DNS Request

    asdasdas-10050107.file.myqcloud.com

    DNS Request

    asdasdas-10050107.file.myqcloud.com

    DNS Response

    101.33.11.110
    101.33.11.29

  • 8.8.8.8:53
    dh-cfg.liuxue789.cn
    dns
    残霞造梦西游3辅助9.4.exe
    65 B
     119 B
     1
    1

    DNS Request

    dh-cfg.liuxue789.cn

  • 8.8.8.8:53
    www.kelepan.com
    dns
    残霞造梦西游3辅助9.4.exe
    61 B
     77 B
     1
    1

    DNS Request

    www.kelepan.com

    DNS Response

    168.206.143.226

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1732-0-0x0000000000400000-0x000000000065F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1732-12-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-6-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-3-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-18-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-48-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-49-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-47-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-44-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-42-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-38-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-36-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-34-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-32-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-30-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-28-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-26-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-24-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-22-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-20-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-16-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-14-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-10-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-8-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-5-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-4-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1732-51-0x0000000000400000-0x000000000065F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1732-52-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.