Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 07:38

General

  • Target

    bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe

  • Size

    3.0MB

  • MD5

    1a8a99c90906c349060944e027fd1550

  • SHA1

    7edb6c08d439c0e581d7a387a2095300061c293a

  • SHA256

    bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b

  • SHA512

    846dc680a3d1c7487c3bc69ad07256377e2105b5de876997e0a59b64131324dcbc94a605c99a8bb89434e74c95dedff78bea7be116d41da1eb620bb1a7220497

  • SSDEEP

    49152:9gCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lc:+CPSpED/ppLh3ScE4X0ypED/pg

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 10 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
    "C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\jiedian.exe
      "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-1506706701-1246725540-2219210854-1000"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Program Files (x86)\DragonBox\DragonBox.exe
          "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2260
  • C:\ProgramData\Megic\lasse.exe
    C:\ProgramData\Megic\lasse.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

    Filesize

    1.3MB

    MD5

    73edb6d203e0230b2ab4e4da57dd6bee

    SHA1

    4a71903b57abd639425394340d1a6067da760f0a

    SHA256

    a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

    SHA512

    2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

  • C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

    Filesize

    4KB

    MD5

    b7836905546abd3f25e52cae93691c19

    SHA1

    7df88974881793978ed81e4104ca24515f957739

    SHA256

    8b4c18bd9884942b756571b0e47677f9ea2644f3ca7b8e5bcc051c35412834bb

    SHA512

    d4e63bb9d0f539e44284158bb129e32d58179590273e0b9bcdcf01992cd3f25f091ac3f5c9dd07c4b504469e5b776d3472f19c5e0bffe9dfc0ccc4602f5f9d01

  • C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

    Filesize

    5KB

    MD5

    d45f87cc877e16f61e49420a8f7493df

    SHA1

    3d832e1d52599a274ca3f7ad4b6a0ed9c629799d

    SHA256

    dabf7b0cc9a09741d0571946f4279aae694bce8b7d8e4c8043969f229733bafe

    SHA512

    5d93c61f379818e8d374790d406e80bb8c6ee3c0ff4e03ef1d3addb01c046a06e72bddb13ec989361808c0f491ad555d9aaa1e20fce733bf7a2416e17d609ece

  • C:\Program Files (x86)\DragonBox\gametypebak.json

    Filesize

    21KB

    MD5

    242aec89243b0957523287ae5d18b9b8

    SHA1

    9d54d2b8bf3d52d927fd89b172621d496b5f83e6

    SHA256

    e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

    SHA512

    a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

  • C:\Program Files (x86)\DragonBox\setting.ini

    Filesize

    77B

    MD5

    042bc14b5ec4a59244ac348812dc2e8a

    SHA1

    7adb7489f0971dfedf5fd7928bde722245c1f3f9

    SHA256

    20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

    SHA512

    4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

  • C:\Program Files (x86)\DragonBox\setting.ini

    Filesize

    77B

    MD5

    0c8197485fc42ac984d0984cb90e641c

    SHA1

    e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

    SHA256

    3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

    SHA512

    15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

  • C:\Program Files (x86)\DragonBox\version.ini

    Filesize

    53B

    MD5

    1b38736d6e54c9b3b78807bbca68f348

    SHA1

    0cc44962449b1f54e1d2f606584ce513dc088cf6

    SHA256

    013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

    SHA512

    32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

  • C:\ProgramData\Megic\lasse.exe

    Filesize

    248KB

    MD5

    ecf79310b8a51b2a472689619d42a42c

    SHA1

    36e328fccda8f2f3d926e472d968072a9c732c0f

    SHA256

    6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

    SHA512

    321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\DragonBox.exe

    Filesize

    1.5MB

    MD5

    cbb2db2566dde5e2b9c6a636471ffa23

    SHA1

    38704738c646a9afa729cefd31ca0c8f28a9f54c

    SHA256

    4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

    SHA512

    572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    566KB

    MD5

    3fe7c92dba5c9240b4ab0d6a87e6166a

    SHA1

    7980d7dffc073515b621834246dda33ab00c308d

    SHA256

    a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

    SHA512

    bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

  • \Users\Admin\AppData\Local\Temp\jiedian.exe

    Filesize

    2.9MB

    MD5

    1641766934172d4ef320103147ba77f3

    SHA1

    8562b7fb3cad46e555bcfacfc14ad2924971955e

    SHA256

    dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

    SHA512

    ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

  • memory/2116-123-0x0000000001F30000-0x0000000001F40000-memory.dmp

    Filesize

    64KB

  • memory/2116-24-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

  • memory/2116-149-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

  • memory/2756-22-0x0000000002C90000-0x0000000002E11000-memory.dmp

    Filesize

    1.5MB

  • memory/2756-12-0x0000000002C90000-0x0000000002E11000-memory.dmp

    Filesize

    1.5MB