Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

!Saẗup☑/Setup.exe

windows7-x64

5

!Saẗup☑/Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    !Saẗup☑/Setup.exe

  • Size

    8.7MB

  • MD5

    480f8cf600f5509595b8418c6534caf2

  • SHA1

    dc13258ebb83bdf956523d751f67e29d6e4cf77e

  • SHA256

    6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2

  • SHA512

    f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf

  • SSDEEP

    196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o

Score
5/10
discovery

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\!Saẗup☑\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\!Saẗup☑\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Roaming\SHTU\SYVLIBPCMPDZTRSUZV\StrCmp.exe
      C:\Users\Admin\AppData\Roaming\SHTU\SYVLIBPCMPDZTRSUZV\StrCmp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2912
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Local\Temp\FiftiethOmit.a3x
        C:\Users\Admin\AppData\Local\Temp\FiftiethOmit.a3x
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 120
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a3f72fab
    Filesize

    2.1MB

    MD5

    85b924657a68d0dab8f13f0189f2666e

    SHA1

    42983b2e4eceabf88012771c9cf6ef910d810667

    SHA256

    55cac3591371429f22395cf1a429f01030beae4d77d97a1c951ecd763fc815b8

    SHA512

    5fb5b82ed0d970e84ef5b58894b07869a20c58954a2c0ceb486d20959d66637535bd3e18dc3d8391463ffb9fc2dd89b63c58504b35d505c3374e489b82fe5f62

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SHTU\SYVLIBPCMPDZTRSUZV\StrCmp.exe
    Filesize

    47KB

    MD5

    916d7425a559aaa77f640710a65f9182

    SHA1

    23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

    SHA256

    118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

    SHA512

    d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\FiftiethOmit.a3x
    Filesize

    921KB

    MD5

    3f58a517f1f4796225137e7659ad2adb

    SHA1

    e264ba0e9987b0ad0812e5dd4dd3075531cfe269

    SHA256

    1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

    SHA512

    acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

    Download Submit

  • memory/2128-21-0x0000000000040000-0x0000000000916000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2128-2-0x0000000076E80000-0x0000000077029000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2128-18-0x0000000072670000-0x00000000727E4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2128-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-7-0x0000000072670000-0x00000000727E4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2128-1-0x0000000072670000-0x00000000727E4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2720-23-0x0000000076E80000-0x0000000077029000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2720-25-0x0000000072670000-0x00000000727E4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2876-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-30-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-33-0x00000000000F0000-0x000000000016F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2876-39-0x00000000000F0000-0x000000000016F000-memory.dmp

    Filesize

    508KB

    Download