Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
Setup_zx2010.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Setup_zx2010.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240802-en
General
-
Target
Setup_zx2010.exe
-
Size
4.1MB
-
MD5
383f2b97a532ef3a832e26ae3b892f13
-
SHA1
bc4c1259502d1e00a94a47c657376d4786035ff9
-
SHA256
c0db9820f687dc05eb44e5a0a3d2567a04bff3c7b926153c901e1c96d9b4fadf
-
SHA512
c8387712d9f1699ee4a54687c7ae1f745025b31407cc7a75e7ca0dc3ca738a22274d42b5e88ed302552ae76038e3c4ba87aa2073043edf1dcbcfc1b5907c40ea
-
SSDEEP
98304:1Z95cWADVE1DreFzdSXJ4HG6H5MU/BeJ2eM:1+WAZENmSXiGSVBAbM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4756 irsetup.exe -
resource yara_rule behavioral2/files/0x000300000001e57c-2.dat upx behavioral2/memory/4756-4-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral2/memory/4756-20-0x0000000000400000-0x0000000000527000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\¿ªÀ´×ÊѶÖÕ¶Ë Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_zx2010.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4756 irsetup.exe 4756 irsetup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1848 wrote to memory of 4756 1848 Setup_zx2010.exe 83 PID 1848 wrote to memory of 4756 1848 Setup_zx2010.exe 83 PID 1848 wrote to memory of 4756 1848 Setup_zx2010.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_zx2010.exe"C:\Users\Admin\AppData\Local\Temp\Setup_zx2010.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:516620 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Setup_zx2010.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD51da314d205557209e3730960230917e4
SHA1a3b37556db8cf3696a213c3d283ccaa62f2c1e97
SHA256d0ebce541c397cd5e98223e3e6e02f8ba788e24cf9d16b2fa3571e7965c51cca
SHA512df3b4a27732d6a89f29a47b4bc00bba0307c66113eb3ea1d09ab8b715c468518071a6f00030cf1eb708d9452e229f222752abfadfba74d843bf68af83fde279c
-
Filesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
Filesize
18KB
MD53a80be8d848c67b23a6600e5131933f2
SHA1f65bea734a4e2539af11989f8f8fa8a452a99f3e
SHA2565f93120ad2532c01c1d03803665cf70a7a9286c6e17e0f93f91e222d75809473
SHA512d057398721305c83a30664e8fab25eb8d6740c5ff17e9b1bb3935bfb6d4eb0754d3e402a4a75269a84e925c2ece21d559a8f4d6a398e9edc1158f1181bd5e8c6